<@U04UQ68083H> is there a way to use ory's client ...
# ory-copilot
h
@chilly-king-10285 is there a way to use ory's client sdk
frontendApi
to set the browser cookies manually in the client after creating a login flow on the server?
b
A message from kapa.ai
Based on the knowledge sources, Ory's authentication flows are designed to work with HTTP cookies in specific ways depending on whether you're using browser-based or API-based flows. When creating a login flow on the server and then wanting to set cookies manually on the client, there are some important considerations: For browser-based flows, cookies are typically set automatically by the browser when the Ory server responds with a
Set-Cookie
header. This is the recommended approach as it handles all the security aspects (like
secure
,
httpOnly
, and
sameSite
flags) properly. If you're trying to manually handle cookies between server and client, you'll need to: 1. When creating a login flow on the server, you'll receive cookies in the response that need to be forwarded to the client. 2. For subsequent requests from the client using the
frontendApi
, you must ensure cookies are included with requests, which can be done by setting the
withCredentials: true
option in the SDK configuration:
Copy code
javascript import { Configuration, FrontendApi } from "@ory/client"  const frontend = new FrontendApi(   new Configuration({     basePath: "<http://localhost:4000>", // Your Ory URL     baseOptions: {       withCredentials: true,     },   }), )
This configuration ensures that cookies are automatically sent with requests [Ory session](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie). However, there's a challenge with this approach. The knowledge sources don't explicitly show a way to manually set cookies from the server to the client using the SDK. This is because: 1. Ory's security model relies on cookies being set by the browser directly from Ory's responses 2. Manually setting HTTP-only cookies from JavaScript isn't possible (by design for security) A more standard approach would be to: - Let the browser handle the initial login flow directly with Ory - Or redirect the user to complete the flow in the browser after server-side initialization If you're building a server-side rendered application, you should forward the cookies received from Ory when validating sessions [Migrate to Ory tutorial](https://www.ory.sh/docs/migrate-to-ory#integrate-backend). The knowledge sources don't provide a direct method to manually set Ory cookies on the client side after server-side flow creation, as this would potentially circumvent security measures built into the cookie-based authentication model.