Ory Kratos uses HTTP cookies for various purposes such as session management and CSRF protection. However, the value of these cookies is managed by Ory Kratos and is not meant to be set manually. For instance, Ory Kratos uses pass-by-value cookies whose values are encrypted using the

secrets.default

/

secrets.cookie

secrets. If these secrets are changed without doing proper secret / key rotation, all cookies will be invalid which will cause users to be signed out, and other side effects. Furthermore, when a user successfully completes the registration or login process, Ory Kratos responds with a HTTP 303 Redirect and a

Set-Cookie

HTTP Header is set alongside the redirect which contains the Ory Session Cookie. The value of this cookie is managed by Ory Kratos and is not meant to be set manually. However, you can configure certain aspects of the cookies such as the domain, path, and SameSite attribute in the Ory Kratos configuration file. For example:

yaml session:     cookie:       domain: <http://myproduct.com|myproduct.com>

This sets the domain for the session cookie. Similarly, you can set the path and SameSite attribute. Sources: - [Configuring Cookies](https://www.ory.sh/docs/kratos/guides/configuring-cookies) - [Successful Registration](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#server-side-browser-clients) - [Successful Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login#successful-login)

The cookies set by Ory Kratos can't be accessed directly from client-side JavaScript because the

HttpOnly

flag is set. This flag can't be modified. This is a security feature that helps prevent attacks such as cross-site scripting (XSS). However, you can use the Ory SDK to interact with the Ory Kratos API and manage sessions. For example, you can use the SDK to call the

/sessions/whoami

endpoint to check the current session:

javascript import { Configuration, FrontendApi, Session } from "@ory/client"   import { useEffect, useState } from "react"      const frontend = new FrontendApi(     new Configuration({       basePath: "<http://localhost:4000>", // Use your local Ory Tunnel URL       baseOptions: {         withCredentials: true,       },     }),   )      export function checkSession() {     const [session, setSession] = useState<Session>(undefined)        useEffect(() => {       frontend         // the cookie is automatically sent with the request         .toSession()         .then(({ data: session }) => {           setSession(session)         })         .catch((error) => {           // The session could not be fetched           // This might occur if the current session has expired         })     }, [])        return session ? (       <table>         <tr>           <th>Session ID</th>           <th>Expires at</th>           <th>Authenticated at</th>         </tr>         <tr id={session.id}>           <td>{session.id}</td>           <td>{session.expires_at || ""}</td>           <td>{session.authenticated_at || ""}</td>         </tr>       </table>     ) : (       <div>Loading session data...</div>     )   }

In this example, the

toSession()

method is used to get the current session. The cookie is automatically sent with the request because

withCredentials

is set to

true

. Sources: - [Accessing cookies from client-side JavaScript](https://www.ory.sh/docs/troubleshooting/csrf#accessing-cookies-from-client-side-javascript) - [Using Ory Session Cookie](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie)