abhishek-kumar09/apisix-session-manager — explained in plain English
Analysis updated 2026-07-18 · repo last pushed 2023-04-16
Add session management to an APISIX API gateway so users log in once instead of passing credentials on every API call.
Keep users pinned to the same backend server during load balancing for consistency and performance.
Protect APIs from brute force attacks with automatic session expiry and refresh after failed requests.
| abhishek-kumar09/apisix-session-manager | 0verflowme/alarm-clock | 0verflowme/seclists | |
|---|---|---|---|
| Language | — | CSS | — |
| Last pushed | 2023-04-16 | 2022-10-03 | 2020-05-03 |
| Maintenance | Dormant | Dormant | Dormant |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 2/5 | 1/5 |
| Audience | ops devops | vibe coder | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires an existing APISIX API gateway installation and familiarity with APISIX plugin configuration.
apisix-session-manager is a plugin for APISIX, which is a tool that sits in front of your APIs and routes traffic to the right place. APISIX doesn't have built-in session management, meaning it can't remember who a user is across multiple requests. This plugin fills that gap by handling user sessions automatically through browser cookies. Once a user authenticates once, the plugin remembers them for the duration of their session, so they don't need to pass credentials with every single request. The plugin does three main things. First, it stores authentication data in a session, so after a user logs in once, they don't need to keep sending their API key in every request header. Second, it supports "sticky sessions", when you have multiple servers behind your API gateway, this plugin makes sure a given user keeps getting routed to the same server, which can matter for performance or consistency. Third, it handles session lifecycle automatically: sessions expire after a configurable timeout, and they also get refreshed after a certain number of failed requests, which protects against brute force attempts. The people who would use this are teams already running APISIX as their API gateway who need session handling without building it from scratch. For example, if you have a microservices setup where users authenticate once and then make many API calls, this plugin means you don't have to pass credentials on every call. Or if you're load balancing across several backend servers and want to keep users pinned to one for the duration of their session, this manages the cookies for that automatically. There are some limitations worth knowing about. Sessions are currently stored in memory, so they don't survive a restart, the README notes that database backends could be added later for durability. Sticky sessions don't work when your backend servers are addressed by domain name rather than IP, which is a broader APISIX limitation. The plugin also includes a custom version of APISIX's key-auth feature to work around cases where other plugins might interfere with the session lifecycle.
A plugin for APISIX API gateway that handles user sessions via browser cookies, so users authenticate once instead of sending credentials on every request. It also supports sticky sessions to route users to the same backend server.
Dormant — no commits in 2+ years (last push 2023-04-16).
The explanation does not mention a license, so the terms of use are unknown.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.