Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey Toni, we didn’t see that anyone was using `X-Session-Cookie` .  `X-Session-Cookie`  was problematic because it did not contain the cookie name, only the cookie value. That posed a security risk. It was not documented anywhere we could find (maybe we missed something?). We therefore removed it because it was an obscure header that was also a security problem. I’m sorry that we missed your use case.

To fix it, do the following. Instead of extracting the cookie value, just forward the cookie header. In NodeJS for example:

```res.header.set("Cookie", )```

<https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api>

here are the official ways for different sdks that are supported for fetching whoami

So now I should send the token as Bearer instead ?

I am using a simple axios request for session

the node example contains both: token and cookie

ok if you are using axios in nodejs, then it’s:

```axios.get('/sessions/whoami', {
    headers: {
      Cookie: req.cookies.join(';')
    }
  })```

:disappointed: I’m really sorry about that, we should have done better and announced the removal of the field. We did do a thorough code search in all the docs and examples and could not find any usage of it, and thus thought that noone will also use it (since it’s undocumented). But we were wrong - will add this example to our knowledge base to improve the process here. Sorry about the trouble :disappointed:

Im ur pain in the ass guys, what can I do ?! hahahhaa