Skip to main content

Configuring cookies

By default, cookies sent by Ory Hydra's API are set without explicitly specifying a SameSite mode. If you wish for these cookies to be set with a mode you can use the serve.cookies.same_site_mode setting. Possible values are Strict, Lax or None:

serve:
cookies:
same_site_mode: Strict

If you wish to embed requests to hydra on a third party site (for example an iframe that periodically polls to check session status) you will need to set the mode to None. Some browser versions reject cookies using the Same-Site=None attribute. Hydra implements a workaround that can be enabled by setting serve.cookies.same_site_legacy_workaround to true. This workaround is disabled by default, and only takes effect when serve.cookies.same_site_mode is set to None:

# SameSite=none requires HTTPS, so we need to disable dev mode:
dev: false

serve:
cookies:
same_site_mode: None
same_site_legacy_workaround: true

To set the cookie domain, use the serve.cookies.domain setting:

serve:
cookies:
domain: example.com

To set the cookie names, use the serve.cookies.names setting:

serve:
cookies:
names:
login_csrf: login_name
consent_csrf: consent_name
session: session_name