Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey guys, my question is about the session extend capabilities.
API requests are forwarded via Traefik to oathkeeper, which mutates the cookie and sends a payload to a NestJS server.
The payload is handled by an ory strategy "oathkeeper-jwt" which then authenticated the user.

I am using the kratos client sdk in the server to extend the user's session, which is successful. The session is returned with a new expiry date, then I send a new cookie to the browser, which is also set correctly. The session entry in Kratos database is also updated successfully.
The problem is that not matter how many times I extend the session, the requests stop being authorized after the original session expiry date.
I haven't used Go before, but judging by the code, the session is not updated in the session store after extension. It returns the extended session, but when used to verify if the session is still valid, it uses the original.

Is it me, or it's not working correctly? Please let me know. Thanks

We are also having the same problem. When looking into it, we found that the token is empty in the `FetchFromRequest` method of `session/manager_http.go`, even though the cookie was extended correctly in the browser and the session was updated with new expiry date in the Kratos DB.