Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi all. I'm using the Ory Kratos browser login flow, and when that is successful the session cookie is set on the browser. Is there a specific reason the value of this cookie is not URI encoded? Or there is no option for it? From what I've seen it is not mandated by RFC, but seen as best practice for compatibility, <https://stackoverflow.com/questions/49205195/should-cookie-values-be-url-encoded>.

FYI, I'm creating a custom integration with Next.js which automatically encodes cookie values when I proxy requests to Kratos through there. I am calling the `/session/whoami` endpoint in a middleware to check for a valid session with the cookie. Kratos of course doesn't expect the cookie value to be encoded since this was done by Next.js. So the session is not seen as valid since the values won't be equal. There are some workarounds I can do on the Next.js side to avoid this. Still interested to learn if anything might by possible on the Kratos side though :slightly_smiling_face: