Skip to main content

Configuring cookies

When working with cookies, keep the following in mind:

  1. HTTP Cookies aren't port specific. If a cookie is set on https://mydomain.com:1234 it's also valid for https://mydomain.com:4321 and https://mydomain.com.
  2. Unless --dev is set, Ory Kratos' cookies are only sent over HTTPS.
  3. Cookies in Ory Kratos are always httpOnly.
  4. It's possible to set a cookie for mydomain.com when the original request was made to subdomain.mydomain.com. It's however not possible to set a cookie for anotherdomain.com when the original request was made to mydomain.com. See also this answer on StackOverflow.
note

Ory Kratos uses pass-by-value cookies whose values are encrypted using the secrets.default / secrets.cookie secrets. If these secrets are changed without doing proper secret / key rotation, all cookies will be invalid which will cause users to be signed out, and other side effects.

Session cookies

CloudRun, Heroku, and other "serverless" solutions commonly expose services directly to the public, and don't allow for fronting by a gateway or reverse proxy. In those cases, your application architecture may separate services by subdomain (for example service1.myproduct.com, service2.myproduct.com, service3.myproduct.com, ...).

If that's the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:

"path/to/kratos/config.yml
session:
cookie:
domain: myproduct.com

It's also possible to restrict the cookie path:

note

It's very unlikely that you need to change this!

"path/to/kratos/config.yml
session:
cookie:
path: /some/sub-directory

You can also modify the new HTTP Cookie SameSite Attribute using:

"path/to/kratos/config.yml
session:
cookie:
same_site: Lax