Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, how does ORY Kratos handle browser sessions? Where the cookie is set to expire on browser close? I would think that the session data sticks around right, and is still valid?

Hi <@U01CFK97A87>

Kratos issues an httpOnly cookie with an expiry date. You can of course also invalidate the session by logging the user out through the API or through the Admin API.

<@U01MTU9E4CF> What happens when the cookie doesn't have an expiration date / gets removed on browser close? The session would still be active on the server right

Or is that not really an issue and the session gets cleared up eventually by some cronjob that checks for expired sessions in the database

I think there is currently no cleanup job, but we will add it eventually

When the browser "forgets" the session, an attacker has to guess the session cookie to gain access to that session (same as when the browser still has the cookie).

<@U010UKXCPP0> so the session just lingers around forever?

ah no it seems this was done already <https://github.com/ory/kratos/pull/2406>