Session
After a user has logged in, Ory creates a session cookie that your application can use to verify the user's authentication status. This guide shows how to work with sessions in your application.
Protecting routes
You can protect routes by checking for the presence of a session cookie.
- JavaScript/Node.js
- React
- Next.js
- Go
- cURL
const requireAuth = async (req, res, next) => {
try {
const session = await ory.toSession({ cookie: req.header("cookie") })
req.session = session
next()
} catch (error) {
res.redirect(`${baseUrl}/ui/login`)
}
}
app.get("/", requireAuth, (req, res) => {
res.json(req.session.identity.traits) // { email: 'newtestuser@gmail.com' }
})
// Create a protected route wrapper component
function ProtectedRoute({ children }) {
const [isAuthenticated, setIsAuthenticated] = useState(false)
const [loading, setLoading] = useState(true)
useEffect(() => {
ory
.toSession()
.then(() => {
setIsAuthenticated(true)
setLoading(false)
})
.catch(() => {
setIsAuthenticated(false)
setLoading(false)
// Redirect to Ory login UI
window.location.href = `${basePath}/ui/login`
})
}, [])
if (loading) {
return <div>Loading...</div>
}
return isAuthenticated ? children : null
}
// middleware.ts file at the project root
import { NextResponse } from "next/server"
import type { NextRequest } from "next/server"
export async function middleware(request: NextRequest) {
const url = new URL(request.url)
const basePath = process.env.NEXT_PUBLIC_ORY_SDK_URL || "http://localhost:4000"
// List of protected paths
const protectedPaths = ["/dashboard", "/settings", "/profile"]
const isProtectedPath = protectedPaths.some((path) => url.pathname === path || url.pathname.startsWith(`${path}/`))
if (isProtectedPath) {
// Check for the session cookie
const cookie = request.cookies.get("ory_session_YOUR_PROJECT")
if (!cookie) {
// Redirect to Ory login UI with return URL
return NextResponse.redirect(`${basePath}/ui/login?return_to=${encodeURIComponent(url.pathname)}`)
}
}
return NextResponse.next()
}
// Configure which paths the middleware runs on
export const config = {
matcher: ["/dashboard/:path*", "/settings/:path*", "/profile/:path*"],
}
// Using the App struct and middleware from above
func main() {
// Assuming app is already initialized as in the sign-in guide
// Create router
mux := http.NewServeMux()
// Routes that use the session middleware
mux.Handle("/dashboard", app.sessionMiddleware(app.dashboardHandler))
mux.Handle("/profile", app.sessionMiddleware(app.profileHandler))
// Start server
http.ListenAndServe(":3000", mux)
}
// Example protected route handler
func (app *App) dashboardHandler(w http.ResponseWriter, r *http.Request) {
// Get session from context (set by middleware)
session, err := getSession(r.Context())
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Use session data
fmt.Fprintf(w, "Welcome, %s!", session.Identity.Traits["email"])
}
Refresh sessions
You can refresh user sessions to extend their expiration time:
- JavaScript/Node.js
- React
- Next.js
- Go
- cURL
app.get("/refresh-session", async (req, res) => {
// Redirect to login with refresh=true parameter
res.redirect(`${baseUrl}/ui/login?refresh=true`)
})
// Force session refresh by prompting re-authentication
function refreshUserSession() {
const basePath = process.env.REACT_APP_ORY_SDK_URL || "http://localhost:4000"
// Redirect to login with refresh=true parameter
window.location.href = `${basePath}/ui/login?refresh=true&return_to=${window.location.pathname}`
}
// Button component example
function RefreshSessionButton() {
return <button onClick={refreshUserSession}>Refresh Session</button>
}
// Force session refresh by prompting re-authentication
function refreshUserSession() {
const basePath = process.env.NEXT_PUBLIC_ORY_SDK_URL || "http://localhost:4000"
// Redirect to login with refresh=true parameter
window.location.href = `${basePath}/ui/login?refresh=true&return_to=${window.location.pathname}`
}
// API route to refresh session programmatically (pages/api/refresh-session.js)
export default async function handler(req, res) {
try {
const { data: session } = await ory.refreshSession({
cookie: req.headers.cookie,
})
res.status(200).json({ success: true, session })
} catch (error) {
res.status(401).json({ success: false, error: "Unauthorized" })
}
}
// Force session refresh by prompting re-authentication
func refreshSessionHandler(w http.ResponseWriter, r *http.Request) {
// Redirect to login with refresh=true parameter
http.Redirect(w, r, app.tunnelUrl+"/ui/login?refresh=true&return_to=/dashboard",
http.StatusSeeOther)
}
// Refresh a session programmatically
func (app *App) refreshSession(w http.ResponseWriter, r *http.Request) {
cookie := r.Header.Get("Cookie")
// Refresh the session
session, _, err := app.ory.FrontendApi.RefreshSession(r.Context()).
Cookie(cookie).Execute()
if err != nil {
http.Redirect(w, r, app.tunnelUrl+"/ui/login", http.StatusSeeOther)
return
}
// Session is now refreshed
ctx := withSession(r.Context(), session)
// Continue with the refreshed session
}
# Force session refresh by prompting re-authentication
# Redirect the user to this URL:
https://$PROJECT_SLUG.projects.oryapis.com/self-service/login/browser?refresh=true
# Refresh a session programmatically
curl -X GET \
'https://$PROJECT_SLUG.projects.oryapis.com/self-service/login/refresh?refresh=aAaAfAEAAdAFECQAAJMAbCcDdFEBaGcG' \
-H 'Accept: application/json' \
-H 'Cookie: ory_session_YOUR_PROJECT=YOUR_SESSION_COOKIE' \
--verbose
Configuring session settings in Ory Console
You can configure various session-related settings through the Ory Console. Learn how to:
- Configure Session lifespan
- Allow users to change sensitive settings (like passwords, adding a second factor, or changing email) in their profile.