Ory Kratos validates a session by checking the session cookie (ory_kratos_session) when a request is made to the /sessions/whoami endpoint. The knowledge sources describe that Kratos issues a session cookie upon successful login and that this cookie is used to authenticate subsequent requests. When validating the session, Kratos determines if the session is active and returns the session object if valid, or a 401 error if not. However, the knowledge sources do not explicitly state whether Kratos always makes a request to the database when validating the session cookie. They do mention that the session flow object is stored in the database during flow initialization, and that session data is returned upon validation, but they do not detail the internal mechanism (e.g., whether session data is cached in memory or always fetched from the database) during cookie validation. Therefore, based on the provided information, it is not possible to definitively confirm if a database request is always made during session validation. In summary: The knowledge sources do not explicitly state whether Ory Kratos always makes a database request when validating the session cookie. They only describe the process of session validation and the use of the session cookie for authentication purposes [Ory session management overview](https://www.ory.sh/docs/kratos/session-management/overview#using-ory-session-cookie) [API reference: toSession](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json).