When working with cookies, keep the following in mind:
- HTTP Cookies aren't port specific. If a cookie is set on
https://mydomain.com:1234it's also valid for
--devis set, Ory Kratos' cookies are only sent over HTTPS.
- Cookies in Ory Kratos are always
- It's possible to set a cookie for
mydomain.comwhen the original request was made to
subdomain.mydomain.com. It's however not possible to set a cookie for
anotherdomain.comwhen the original request was made to
mydomain.com. See also this answer on StackOverflow.
Ory Kratos uses pass-by-value cookies whose values are encrypted using the
secrets.cookie secrets. If these
secrets are changed without doing proper secret / key rotation, all cookies will be invalid which will
cause users to be signed out, and other side effects.
CloudRun, Heroku, and other "serverless" solutions commonly expose services directly to the public, and don't allow for fronting
by a gateway or reverse proxy. In those cases, your application architecture may separate services by subdomain (for example
If that's the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:
It's also possible to restrict the cookie path:
It's very unlikely that you need to change this!
You can also modify the new HTTP Cookie SameSite Attribute using: