For session caching is there a recommended methodology? I usually do: 1. Restricted page or login clicked. 2. Server redirect to kratos, client log-in, get session 3. Redirect to "finished" page. 4. Notice/Expect kratos session on endpoint load. (redirect back to login or error if no session) 5. Cache session against extended user information in redis / database. 6. Further requests do not test / check against kratos for validity unless the expires_at field is expired. Does that seem safe or am I missing something fundamental?

logout is impossible with that strategy

Well I mean I'd invalidate the session myself and purge from redis/cache.

Hey Adam, yes you could definitely hook into the logout routine and invalidate the session server-side as well. We are also adding Web Hooks as we speak to Ory Cloud and we want to have web hooks for logout events in the future. This will help with invalidation. Alternatively you can also just cache for a TTL that is acceptable to you where the session cookie is still valid. The cookie is of course deleted on the browser so the user is logged out, it's just that if he/she still had the cookie, it would still work.

Very good. Thank you for the clarification. Future looks bright. 8) Appreciate it.

Absolutely, thank you for being a part of the journey 🙂