Ory Session Token / Ory Session Cookie
When an identity or end-user authenticates using the password
method, they
will receive an Ory Session. The Ory Session can either be issued as an
- Ory Session Cookie, which is used for all browser-flows (such as PHP app, single page app, ...);
- Ory Session Token, which is used for non-browser flows (such as native apps).
The session's content may look like the following:
{
id: '1338410d-c473-4503-a96a-53efa06e2531',
active: true,
expires_at: '2021-10-15T15:58:57.683338Z',
authenticated_at: '2021-10-14T15:58:57.683338Z',
authenticator_assurance_level: 'aal2',
authentication_methods: [
{
method: 'password',
completed_at: '2021-10-14T15:55:19.03621Z'
},
{
method: 'lookup_secret',
completed_at: '2021-10-14T15:56:21.257867Z'
},
{
method: 'lookup_secret',
completed_at: '2021-10-14T15:58:57.683337Z'
},
{
method: 'lookup_secret',
completed_at: '2021-10-14T16:03:14.833192Z'
}
],
issued_at: '2021-10-14T15:58:57.683338Z',
identity: {
id: '9496bbd5-f426-473f-b087-c7df853f274a',
schema_id: 'default',
schema_url: 'https://<your-project-slug>.projects.oryapis.com/schemas/default',
state: 'active',
state_changed_at: '2021-10-14T17:55:17.885497+02:00',
traits: {
website: 'https://www.ory.sh/',
email: '0.wz4yhr0zwyd@ory.sh'
},
verifiable_addresses: [
{
id: '4de14270-ca13-4efb-ac3f-8f03b1f649d8',
value: '0.wz4yhr0zwyd@ory.sh',
verified: false,
via: 'email',
status: 'sent',
created_at: '2021-10-14T17:55:17.886639+02:00',
updated_at: '2021-10-14T18:03:14.839009+02:00'
}
],
recovery_addresses: [
{
id: 'fdab5a5f-5efc-4202-93b5-fd3ee632420b',
value: '0.wz4yhr0zwyd@ory.sh',
via: 'email',
created_at: '2021-10-14T17:55:17.886831+02:00',
updated_at: '2021-10-14T18:03:14.839105+02:00'
}
],
created_at: '2021-10-14T17:55:17.886237+02:00',
updated_at: '2021-10-14T17:55:17.886237+02:00'
}
}
active
​
If set to true, Ory Session is active and can be used to authenticate requests.
expires_at
​
Indicates when the Ory Session expires.
authenticated_at
​
Indicates the time of the most recent authentication. When a new Ory Session is created (for example because of a successful login), this is set to the current time.
This field is updated when:
- The end-user authenticates with a second factor such as TOTP
- The end-user refreshes their session using the
/self-service/login/browser
or/self-service/login/api
endpoint and settingrefresh
totrue
Ory Session Cookie​
The Ory Session Cookie will be issued when the end-user is using a browser to
sign in. You can fetch the session's payload using the /sessions/whoami
endpoint:
curl 'https://<your-project-slug>.projects.oryapis.com/sessions/whoami' \
-H 'Accept: application/json \
-H 'Cookie: ory_kratos_session=MTYzNDIyNzEzN3xEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJRTFDYWtvME5VNVlaVWxvYVZWeWJrUnZhSEF4YmxSV2VVRlhNMWwxVlVGenxXpsk2cL21Dclk3nCoXV41N6bFxvVJSt7CeICy_815Aw=='
Ory Session Token​
The Ory Session Token will be issued when the end-user is using, for example, a
native mobile app to sign in. In this case, you need to include the Ory Session
Token in the Authorization
HTTP Header
curl 'https://<your-project-slug>.projects.oryapis.com/sessions/whoami' \
-H 'Accept: application/json \
-H 'Authorization: Bearer BRFbGMzTnBiMjVmZEcEdjM1J5YVc1bkRDSUFvME5VNVlaVeWJrUnZhSEF4YmxSV2VVRlhNMWwxVlVGenxXpsk2cLXV41N6bFxvVJSt7CeICy'
or alternatively in the X-Session-Token
HTTP Header:
curl 'https://<your-project-slug>.projects.oryapis.com/sessions/whoami' \
-H 'Accept: application/json \
-H 'X-Session-Token: BRFbGMzTnBiMjVmZEcEdjM1J5YVc1bkRDSUFvME5VNVlaVeWJrUnZhSEF4YmxSV2VVRlhNMWwxVlVGenxXpsk2cLXV41N6bFxvVJSt7CeICy'
Privileged Sessions​
Some profile changes, such as updating the password or adding / removing second factors, require a privileged Ory Session Token or Ory Session Cookie to be completed successfully:
Ory Sessions are considered "privileged" if their authenticated_at
time isn't
older than the privileged_session_max_age
specified in your config:
selfservice:
flows:
settings:
privileged_session_max_age: 15m
In the example above, an Ory Session would be considered "privileged" for 15 minutes. The end-user can perform any profile changes (for example update password, link another social provider, add a 2fa method, ...) without being prompted to re-authenticate.
This flow is similar to GitHub's sudo mode!
Refreshing Sessions​
You can prompt the user to re-authenticate by interacting with the
/self-service/login/browser
or
/self-service/login/api
API and setting the refresh
parameter to true. Once the user has
re-authenticated, the authenticated_at
timestamp of the Ory Session will be
set to the current time.
/self-service/login/browser?refresh=true
If enabled, you can also refresh the second factor by setting both refresh
and
aal
:
/self-service/login/browser?refresh=true&aal=aal2