happy-car-76302
03/12/2025, 3:04 PMfrontendApi
to set the browser cookies manually in the client after creating a login flow on the server?brief-egg-61061
03/12/2025, 3:04 PMbrief-egg-61061
03/12/2025, 3:04 PMSet-Cookie
header. This is the recommended approach as it handles all the security aspects (like secure
, httpOnly
, and sameSite
flags) properly. If you're trying to manually handle cookies between server and client, you'll need to: 1. When creating a login flow on the server, you'll receive cookies in the response that need to be forwarded to the client. 2. For subsequent requests from the client using the frontendApi
, you must ensure cookies are included with requests, which can be done by setting the withCredentials: true
option in the SDK configuration: javascript import { Configuration, FrontendApi } from "@ory/client" const frontend = new FrontendApi( new Configuration({ basePath: "<http://localhost:4000>", // Your Ory URL baseOptions: { withCredentials: true, }, }), )
This configuration ensures that cookies are automatically sent with requests [Ory session](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie). However, there's a challenge with this approach. The knowledge sources don't explicitly show a way to manually set cookies from the server to the client using the SDK. This is because: 1. Ory's security model relies on cookies being set by the browser directly from Ory's responses 2. Manually setting HTTP-only cookies from JavaScript isn't possible (by design for security) A more standard approach would be to: - Let the browser handle the initial login flow directly with Ory - Or redirect the user to complete the flow in the browser after server-side initialization If you're building a server-side rendered application, you should forward the cookies received from Ory when validating sessions [Migrate to Ory tutorial](https://www.ory.sh/docs/migrate-to-ory#integrate-backend). The knowledge sources don't provide a direct method to manually set Ory cookies on the client side after server-side flow creation, as this would potentially circumvent security measures built into the cookie-based authentication model.