gitwtfhub

wtf is apisix-session-manager?

abhishek-kumar09/apisix-session-manager — explained in plain English

Analysis updated 2026-07-18 · repo last pushed 2023-04-16

Audience · ops devopsComplexity · 3/5DormantSetup · moderate

TL;DR

A plugin for APISIX API gateway that handles user sessions via browser cookies, so users authenticate once instead of sending credentials on every request. It also supports sticky sessions to route users to the same backend server.

Mindmap

mindmap
  root((repo))
    What it does
      Manages user sessions
      Browser cookie based
      Sticky session routing
      Auto session expiry
    Key features
      Stores auth data
      Brute force protection
      Configurable timeouts
      Custom key-auth support
    Use cases
      Microservices auth
      Load balancing pinning
      API gateway sessions
    Tech stack
      APISIX
      Lua
    Limitations
      In-memory only storage
      No domain name stickiness
    Audience
      API gateway operators
      Backend engineering teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Add session management to an APISIX API gateway so users log in once instead of passing credentials on every API call.

REASON 2

Keep users pinned to the same backend server during load balancing for consistency and performance.

REASON 3

Protect APIs from brute force attacks with automatic session expiry and refresh after failed requests.

What's in the stack?

APISIXLua

How it stacks up

abhishek-kumar09/apisix-session-manager0verflowme/alarm-clock0verflowme/seclists
LanguageCSS
Last pushed2023-04-162022-10-032020-05-03
MaintenanceDormantDormantDormant
Setup difficultymoderateeasyeasy
Complexity3/52/51/5
Audienceops devopsvibe coderops devops

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Requires an existing APISIX API gateway installation and familiarity with APISIX plugin configuration.

The explanation does not mention a license, so the terms of use are unknown.

Wtf does this do

apisix-session-manager is a plugin for APISIX, which is a tool that sits in front of your APIs and routes traffic to the right place. APISIX doesn't have built-in session management, meaning it can't remember who a user is across multiple requests. This plugin fills that gap by handling user sessions automatically through browser cookies. Once a user authenticates once, the plugin remembers them for the duration of their session, so they don't need to pass credentials with every single request. The plugin does three main things. First, it stores authentication data in a session, so after a user logs in once, they don't need to keep sending their API key in every request header. Second, it supports "sticky sessions", when you have multiple servers behind your API gateway, this plugin makes sure a given user keeps getting routed to the same server, which can matter for performance or consistency. Third, it handles session lifecycle automatically: sessions expire after a configurable timeout, and they also get refreshed after a certain number of failed requests, which protects against brute force attempts. The people who would use this are teams already running APISIX as their API gateway who need session handling without building it from scratch. For example, if you have a microservices setup where users authenticate once and then make many API calls, this plugin means you don't have to pass credentials on every call. Or if you're load balancing across several backend servers and want to keep users pinned to one for the duration of their session, this manages the cookies for that automatically. There are some limitations worth knowing about. Sessions are currently stored in memory, so they don't survive a restart, the README notes that database backends could be added later for durability. Sticky sessions don't work when your backend servers are addressed by domain name rather than IP, which is a broader APISIX limitation. The plugin also includes a custom version of APISIX's key-auth feature to work around cases where other plugins might interfere with the session lifecycle.

Yoink these prompts

Prompt 1
I'm running APISIX as my API gateway and want users to authenticate once instead of sending API keys on every request. How do I set up apisix-session-manager to handle sessions via cookies?
Prompt 2
I have multiple backend servers behind APISIX and want to make sure each user stays routed to the same server during their session. How do I configure sticky sessions with apisix-session-manager?
Prompt 3
How do I configure session timeout and brute-force protection settings in apisix-session-manager so sessions expire automatically after a period of inactivity?
Prompt 4
What are the limitations of apisix-session-manager regarding in-memory session storage and domain-name-based sticky sessions, and how do they affect my deployment?

Frequently asked questions

wtf is apisix-session-manager?

A plugin for APISIX API gateway that handles user sessions via browser cookies, so users authenticate once instead of sending credentials on every request. It also supports sticky sessions to route users to the same backend server.

Is apisix-session-manager actively maintained?

Dormant — no commits in 2+ years (last push 2023-04-16).

What license does apisix-session-manager use?

The explanation does not mention a license, so the terms of use are unknown.

How hard is apisix-session-manager to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is apisix-session-manager for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.