When interacting with OAuth2 on an Ory Network instance, HTTP cookies and session cookies come into play. HTTP cookies are a central part of the unique security model in Ory. Whenever the client that consumes Ory APIs is a browser, the system uses HTTP cookies to store session states and protect against attack vectors such as CSRF. Ory issues HTTP cookies with the following flags for the highest level of security: - `secure`: The cookie is only sent over HTTPS connection to protect against man-in-the-middle attacks. - `httpOnly`: The cookie is not available to JavaScript code to protect against XSS. - `sameSite=Strict`: The cookie can only be requested from the same origin to protect against CSRF attacks. [source](https://www.ory.sh/docs/security-model#http-cookies) Ory also issues session cookies to maintain user sessions across requests. Session cookies are usually used to store user authentication information, such as the user ID, and can be used to provide a seamless user experience. Ory session cookies are prefixed with the

ory*session*

prefix, making them easily identifiable in logs and tracking tools. Session cookies are essential for maintaining user sessions, and Ory ensures that session cookies are secure and tamper-proof. Developers can configure the expiration time and cookie options for Ory session cookies to fit their application's specific needs. [source](https://www.ory.sh/docs/security-compliance/token-formats) For Ory Network Management APIs, the only way to authorize is by using a session cookie issued to you by the Ory Network Console. [source](https://www.ory.sh/docs/concepts/personal-access-token#authorizing-ory-network-management-apis)