Update Setting 403 but session still active

[Big-Brother-Man]

Hi all, I hope you are doing well.

I got a general question to do with ory kratos.

When a user goes through the recovery of their account and finds themselves in the setting page to change their password.

If they idle around long enough we get a 403 status error (reason: The login session is too old and thus not allowed to update these fields. Please re-authenticate.)

Yet the users session is still marked as active when I get session using frontend.toSession()

      id: 'cb274372-3017-404b-acb9-yt02af09234e',
      schema_id: 'preset://email',
      schema_url: 'http://localhost:4000/schemas/cHJlc2V0Oi8vZW1haWw',
      state: 'active',
      state_changed_at: '2023-01-28T01:53:07.123795Z',
      traits: [Object],
      verifiable_addresses: [Array],
      recovery_addresses: [Array],
      metadata_public: null,
      created_at: '2023-01-28T01:53:07.125984Z',
      updated_at: '2023-01-28T01:53:07.125984Z'

Why is this the case?

[Benehiko]

Hi @Big-Brother-Man

In the settings flow, the account is required to have a Privileged Session, which is a different kind of session with its own lifespan (usually something like 15min).
https://docs-qfnfeatc4-ory.vercel.app/docs/kratos/session-management/session-lifespan#privileged-sessions

In that case, the user is still "signed in" with a valid session for other tasks within the system, but not to update their profile. They will need to "re-authenticate" to get a privileged session.
https://docs-qfnfeatc4-ory.vercel.app/docs/kratos/session-management/refresh-extend-sessions#forcing-session-refresh

[Big-Brother-Man]

You are a legend @Benehiko thank you very much