Configuring cookies
When working with cookies, keep the following in mind:
- HTTP Cookies aren't port specific. If a cookie is set on
https://mydomain.com:1234
it's also valid forhttps://mydomain.com:4321
andhttps://mydomain.com
. - Unless
--dev
is set, Ory Kratos' cookies are only sent over HTTPS. - Cookies in Ory Kratos are always
httpOnly
. - It's possible to set a cookie for
mydomain.com
when the original request was made tosubdomain.mydomain.com
. It's however not possible to set a cookie foranotherdomain.com
when the original request was made tomydomain.com
. See also this answer on StackOverflow.
Ory Kratos uses pass-by-value cookies whose values are encrypted using the secrets.default
/ secrets.cookie
secrets. If these
secrets are changed without doing proper secret / key rotation, all cookies will be invalid which will
cause users to be signed out, and other side effects.
Session cookies
CloudRun, Heroku, and other "serverless" solutions commonly expose services directly to the public, and don't allow for fronting
by a gateway or reverse proxy. In those cases, your application architecture may separate services by subdomain (for example
service1.myproduct.com
, service2.myproduct.com
, service3.myproduct.com
, ...).
If that's the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:
session:
cookie:
domain: myproduct.com
It's also possible to restrict the cookie path:
It's very unlikely that you need to change this!
session:
cookie:
path: /some/sub-directory
You can also modify the new HTTP Cookie SameSite Attribute using:
session:
cookie:
same_site: Lax