Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I seems to me that I need to generate a new session cookie when I extend the session and return that to our UI. Does this sound like a sensible route, or have I missed a trick in Kratos that will do something similar for me?

Hello <@U05RBA1HM24>

That sounds sensible and as far as I can see that is the correct way to solve it.

great, thanks. Sometimes its hard to know weather a particular approach is elegant or ugly (e.g. Duffs device :-)

To reply to myself, The correct technique is to copy the kratos_session cookie generated in response to my toSession() call. This cookie is only returned after an extend session request is made. This new cookie has a valid kratos session value and correct expiry dates.

Thanks for sharing! I made a note to add to the docs/bot