@Rohit_Chauriha the configs you posted would mean that the cookie is only valid for 120 seconds (2min) but only if the user is inactive. If the user is active, then the cookie will renew once the session falls below 10s left in the session. You should have the session working in tandem with an authentication plugin as the https://github.com/Kong/kong-plugin-session#usage describes. So the authentication credential would be sent to obtain the cookie, and then every request afterwards would only use the cookie. If the authentication credentials are sent along with the cookie, then the cookie will be renewed continuously and the service will only use credentials. Also, let me know what version of the plugin you are using if you pulled from luarocks, and what version of Kong.