So I m trying to get into Kratos Coming from a self implemen

Question

So I m trying to get into Kratos Coming from a self implemented access tokens refresh tokens JWT solution there are a few things I don t fully understand 1 When I want to check if a request is authenticated on my API service I call the Kratos ` whoami` endpoint with the requests cookies right But this doesn t prevent CSRF attack the way an in memory access token would or am I missing something 2 With the refresh token it was possible to have to user be authenticated without interaction for an indefinite time if said user visited the site regularly I found the ` refresh=true` but here the user actually has to enter the password again Is there another way to refresh the session without interaction or what would be best practice to achieve something similar

green-angle-21108 · Answer

Nevermind question 2 I just saw kratos 615

damp-sunset-69236 · Answer

Hello Yes you need to call ` sessions whoami` endpoint to check if the incoming request is authenticated You can have multidomain and have strict rules to prevent CSRF Have you checked <https www ory sh kratos docs guides multi domain cookies|Advanced Base URL CSRF amp Session Cookie settings> guide

green-angle-21108 · Answer

Didn t see this guide before but I just had a look at it You mean setting the `same site` attribute to Strict