Configuring Cookies
When working with cookies, keep the following in mind:
- HTTP Cookies aren't port specific. If a cookie is set on
https://mydomain.com:1234it's also valid forhttps://mydomain.com:4321andhttps://mydomain.com. - Unless
--devis set, Ory Kratos' cookies are only sent over HTTPS. - Cookies in Ory Kratos are always
httpOnly. - It's possible to set a cookie for
mydomain.comwhen the original request was made tosubdomain.mydomain.com. It's however not possible to set a cookie foranotherdomain.comwhen the original request was made tomydomain.com. See also this answer on StackOverflow.
note
Ory Kratos uses pass-by-value cookies whose values are encrypted using the
secrets.default / secrets.cookie secrets. If these secrets are changed
without doing proper secret / key rotation, all cookies
will be invalid which will cause users to be signed out, and other side effects.
Session Cookies
CloudRun, Heroku, and other "serverless" solutions commonly expose services
directly to the public, and don't allow for fronting by a gateway or reverse
proxy. In those cases, your application architecture may separate services by
subdomain (for example service1.myproduct.com, service2.myproduct.com,
service3.myproduct.com, ...).
If that's the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:
session:
cookie:
domain: myproduct.com
It's also possible to restrict the cookie path:
note
It's very unlikely that you need to change this!
session:
cookie:
path: /some/sub-directory
You can also modify the new HTTP Cookie SameSite Attribute using:
session:
cookie:
same_site: Lax