Based on the knowledge sources provided, I can answer your question about handling sessions in Ory. Yes, passing the session cookie with every API call to the backend where it can be validated is indeed a recommended approach. This method ensures that each request is authenticated and the session is still valid. Here's a breakdown of the best practices for handling sessions: 1. Cookie-based approach: Ory uses a cookie-based security model for browser applications. The session information is stored in a cookie, which is sent with each request to the backend. 2. Backend validation: Your backend should validate the session for each API call. This can be done by forwarding the cookies received from the frontend to Ory's API to validate the session. 3. Middleware usage: It's recommended to implement middleware in your backend to intercept API requests and validate the session. For example, in a Go backend, you could use middleware to call Ory's

toSession()

method, ensuring that the cookies received from the frontend are forwarded in this call. 4. Session caching: Ory Network employs a session caching mechanism to reduce latency for

toSession

/

/sessions/whoami

endpoint calls across the globe. Here's an example of how this might look in a PHP backend:

php public function validateSession(){     $cookies = "";     // set the cookies on the ory client     foreach ($_COOKIE as $key=>$value) {         $cookies .= "$key=$value;";     }      try {         // check if we have a session         $session = $this->ory->toSession("", $cookies);         if (! $session["active"]) throw new Exception('Session expired');     } catch (Exception $e) {         error_log('Exception when calling toSession: '.$e->getMessage());         // this will initialize a new login flow and Kratos will redirect the user to the login UI         header("Location: /.ory/self-service/login/browser", true, 303);         die();     }     $this->session = $session; }

This approach allows you to validate the session for each request, ensuring that the user is authenticated and the session is still active. For more detailed information, you can refer to these resources: - [Cookie-based security model](https://www.ory.sh/docs/security-model) - [Validate and login in PHP](https://www.ory.sh/docs/getting-started/integrate-auth/php#validate-and-login) - [Session Management Overview](https://www.ory.sh/docs/kratos/session-management/overview) Remember, while this approach is effective, it's important to consider the performance implications of validating the session on every API call, especially for high-traffic applications. In such cases, you might want to consider implementing additional caching mechanisms on your backend to reduce the number of calls to Ory's API.