Configuring And Checking for Login Sessions
A login session is created when a user signs in. The session is stored as a cookie or as a token, depending on the interaction type.
#
Login Session ConfigurationA session is valid for the session lifespan you specify in the ORY Kratos config:
Per default the session cookie has the max-age
parameter set to the specified
session lifespan. You may disable this behavior by setting:
note
The cookie max-age
parameter behaves as follows:
- The browser interprets the cookie to be removed when the session ends if
max-age
is not set as part of theSet-Cookie
header. A session ends if the browser is terminated due to a reboot or when shutting down the browser. - The browser keeps the cookie until
max-age
is reached otherwise.
Once the lifespan is reached, the user needs to sign in again.
#
Checking for Login Sessions#
Browser ClientThe easiest way to check if a user is signed in is to call the
http(s)://<kratos-public/sessions/whoami
endpoint which will return either a
401 Unauthorized or HTTP 200 OK with the session.
note
Make sure to include the ORY Kratos Session Cookie when calling this endpoint. If you are calling this endpoint from a proxy or middleware, make sure to forward the cookies sent to the proxy/middleware. If you are calling this endpoint as an AJAX call, make sure to include credentials and configure CORS properly.
A typical session payload will look like this:
#
Code Examples- ExpressJS
#
API ClientAPI clients receive and use ORY Kratos Session Tokens which can be checked by
calling the /sessions/whoami
endpoint and including the ORY Kratos Session
Token as a bearer token in the HTTP Authorization Header: