A login session is created when a user signs in. The session is stored as a cookie or as a token, depending on the interaction type.
A session is valid for the session lifespan you specify in the ORY Kratos config:
Per default the session cookie has the
max-age parameter set to the specified
session lifespan. You may disable this behavior by setting:
max-age parameter behaves as follows:
- The browser interprets the cookie to be removed when the session ends if
max-ageis not set as part of the
Set-Cookieheader. A session ends if the browser is terminated due to a reboot or when shutting down the browser.
- The browser keeps the cookie until
max-ageis reached otherwise.
Once the lifespan is reached, the user needs to sign in again.
The easiest way to check if a user is signed in is to call the
http(s)://<kratos-public/sessions/whoami endpoint which will return either a
401 Unauthorized or HTTP 200 OK with the session.
Make sure to include the ORY Kratos Session Cookie when calling this endpoint. If you are calling this endpoint from a proxy or middleware, make sure to forward the cookies sent to the proxy/middleware. If you are calling this endpoint as an AJAX call, make sure to include credentials and configure CORS properly.
A typical session payload will look like this:
API clients receive and use ORY Kratos Session Tokens which can be checked by
/sessions/whoami endpoint and including the ORY Kratos Session
Token as a bearer token in the HTTP Authorization Header: