Hello 👋 I'm implementing an SPA with Kratos. After using the code from the Custom UI with Ory Elements guide, I always have to verify my account after successfully signing in (aka sign in a second time). Looking through the sample code, I found the following comment in the Login component:

// we always pass refresh (true) on login so that the session can be refreshed when there is already an active session
      .createBrowserLoginFlow({ refresh: true, aal: aal2 ? "aal2" : "aal1" })

If I remove the

refresh: true

from the

createBrowserLoginFlow()

function call, however, then I'm taken straight to the dashboard. With the

refresh

parameter, I was receiving code 1010003 which I found in the Login Flow Hander. What I was curious about was if there was any harm in removing the

refresh

parameter? What does the user gain by verifying themselves? An extension to their session? Thanks!

Hi @acoustic-zebra-63757 Please take a look at https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#refreshing-user-session The

refresh=true

query parameter is only necessary when you want the user to log in again - "prove they are who they say they are". This is especially useful on actions that are destructive. Since this is frontend code, this of course shouldn't be relied on if your service requires the user to prove themselves. Rather redirect the user through this flow from your backend service.

Hi @proud-plumber-24205, thanks for the link! This ties into a related question: is there a way to extend a user's session without making them re-enter their password? In other applications, I've extended the session each time the user makes an API call (in the backend service) so they don't have to login in the middle of a workflow. Does Kratos have a way of doing that?

Yes you can do that through the admin api https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions

Awesome! Thank you so much!