appwrite/docs/references/account/create-session.md

Allow the user to login into his account by providing a valid email and password combination. Use the success and failure arguments to provide a redirect URL's back to your app when login is completed.

Please note that in order to avoid a Redirect Attack the only valid redirect URLs are the ones from domains you have set when adding your platforms in the console interface.

When accessing this route using Javascript from the browser, success and failure parameter URLs are required. Appwrite server will respond with a 301 redirect status code and will set the user session cookie. This behavior is enforced because modern browsers are limiting 3rd party cookies in XHR of fetch requests to protect user privacy.