Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

So I'm trying to get into Kratos. Coming from a self implemented access tokens / refresh tokens (JWT) solution there are a few things I don’t fully understand:
1. When I want to check if a request is authenticated on my API service, I call the Kratos `/whoami` endpoint with the requests cookies, right? But this doesn’t prevent CSRF attack (the way an in memory access token would), or am I missing something?
2. With the refresh token it was possible to have to user be authenticated without interaction for an indefinite time, if said user visited the site regularly. I found the `?refresh=true`, but here the user actually has to enter the password again. Is there another way to refresh the session without interaction or what would be best practice to achieve something similar??

Nevermind question 2. I just saw kratos#615. 

Hello. Yes you need to call `/sessions/whoami`  endpoint to check if the incoming request is authenticated. You can have multidomain and have strict rules to prevent CSRF. Have you checked ‘<https://www.ory.sh/kratos/docs/guides/multi-domain-cookies|Advanced Base URL, CSRF &amp; Session Cookie settings>’ guide?

Didn't see this guide before, but I just had a look at it.
You mean setting the `same_site` attribute to Strict?