Yes, Ory does support a cookie-based security model, which is particularly useful for browser applications. This model implements special browser APIs that use additional security measures such as anti-CSRF cookies, providing protection from common browser attack vectors like Cross-site scripting (XSS) and Cross-site request forgery (CSRF) [[source](https://www.ory.sh/docs/security-model)]. You can verify the session using the Go SDK. Here's an example of how to do it:

go package frontend      import (    "context"    "fmt"    "os"       "<http://github.com/ory/client-go|github.com/ory/client-go>"   )      type oryMiddleware struct {    ory *ory.APIClient   }      func init() {    cfg := client.NewConfiguration()    cfg.Servers = client.ServerConfigurations{    {URL: fmt.Sprintf("<https://%s.projects.oryapis.com>", os.Getenv("ORY_PROJECT_SLUG"))},    }       ory = client.NewAPIClient(cfg)   }      func CheckSession(ctx context.Context, sessionToken string) (session *client.Session, err error) {    session, _, err = ory.FrontendApi.ToSession(ctx).    XSessionToken(sessionToken).    Execute()    if err != nil {    // error revoking the session, for example due to expired token provided    return nil, err    }       return session, nil   }

[[source](https://www.ory.sh/docs/kratos/session-management/overview)] Regarding access and refresh tokens, Ory does use them in the context of OAuth2 and OpenID Connect (OIDC) protocols. When the access token expires, the refresh token is used to obtain a new access token without the user's involvement. However, Ory does not recommend using access and refresh tokens for session management [[source](https://www.ory.sh/docs/security-model)]. Ory uses opaque tokens for refresh tokens because they must be immediately revocable if needed. When using JSON Web Tokens (JWTs), the prefix is not applied [[source](https://www.ory.sh/docs/security-compliance/token-formats), [source](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token)]. In summary, while Ory does use access and refresh tokens in the context of OAuth2 and OIDC, it recommends a cookie-based model for session management. You can use the Go SDK to verify sessions.