When a self-service settings flow is submitted to Ory Kratos for a protected property (such as password, email, or other privileged fields) but the session is lacking (for example, the session is too old or missing), the response will be a 403 Forbidden status. This is due to the requirement that the session must be "privileged"—meaning it must be younger than the configured `privileged_session_max_age`—to update protected properties. For browser flows, if the session is not privileged or missing, Kratos will redirect the user to the login endpoint to re-authenticate. For API flows, a 403 Forbidden status is returned, and the client must initiate a new login flow to obtain a fresh session. The error response may include an error ID such as

session_refresh_required

or

session_inactive

to indicate the specific reason: - `session_refresh_required`: The identity requested to change something that needs a privileged session. - `session_inactive`: No Ory Session was found—sign in a user first. This behavior is documented in the API reference and the user settings flow documentation: > API-initiated flows ... HTTP 403 when

selfservice.flows.settings.privileged_session_max_age

was reached or the session's AAL is too low. Implies that the user needs to re-authenticate. > Browser flows ... a HTTP 303 redirect to the login endpoint when

selfservice.flows.settings.privileged_session_max_age

was reached or the session's AAL is too low. > If the Ory Session is older than the specified amount, the user is prompted to re-authenticate similar to the GitHub sudo mode. ... API-based flows will simply return a 403 Forbidden status message which require you to request a new Ory Session using the API-based Login Flow [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings) [updateSettingsFlow](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json) [Session lifespan: Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions)