Configuring Cookies
When working with cookies, keep the following in mind:
- HTTP Cookies aren't port specific. If a cookie is set on
https://mydomain.com:1234
it's also valid forhttps://mydomain.com:4321
andhttps://mydomain.com
. - Unless
--dev
is set, Ory Kratos' cookies are only sent over HTTPS. - Cookies in Ory Kratos are always
httpOnly
. - It's possible to set a cookie for
mydomain.com
when the original request was made tosubdomain.mydomain.com
. It's however not possible to set a cookie foranotherdomain.com
when the original request was made tomydomain.com
. See also this answer on StackOverflow.
note
Ory Kratos uses pass-by-value cookies whose values are encrypted using the
secrets.default
/ secrets.cookie
secrets. If these secrets are changed
without doing proper secret / key rotation, all cookies
will be invalid which will cause users to be signed out, and other side effects.
Session Cookies​
CloudRun, Heroku, and other "serverless" solutions commonly expose services
directly to the public, and don't allow for fronting by a gateway or reverse
proxy. In those cases, your application architecture may separate services by
subdomain (for example service1.myproduct.com
, service2.myproduct.com
,
service3.myproduct.com
, ...).
If that's the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:
session:
cookie:
domain: myproduct.com
It's also possible to restrict the cookie path:
note
It's very unlikely that you need to change this!
session:
cookie:
path: /some/sub-directory
You can also modify the new HTTP Cookie SameSite Attribute using:
session:
cookie:
same_site: Lax