Cookie settings
When working with cookies, keep the following in mind:
- HTTP Cookies aren't port specific. If a cookie is set on
https://mydomain.com:1234it's also valid forhttps://mydomain.com:4321andhttps://mydomain.com. - Unless
--devis set, Ory Kratos' cookies are only sent over HTTPS. - Cookies in Ory Kratos are always
httpOnly. - It's possible to set a cookie for
mydomain.comwhen the original request was made tosubdomain.mydomain.com. It's however not possible to set a cookie foranotherdomain.comwhen the original request was made tomydomain.com. See also this answer on StackOverflow.
Ory Kratos uses pass-by-value cookies whose values are encrypted using the secrets.default / secrets.cookie secrets. If these
secrets are changed without doing proper secret / key rotation, all cookies will be invalid which will
cause users to be signed out, and other side effects.
Session cookies
CloudRun, Heroku, and other "serverless" solutions commonly expose services directly to the public, and don't allow for fronting
by a gateway or reverse proxy. In those cases, your application architecture may separate services by subdomain (for example
service1.myproduct.com, service2.myproduct.com, service3.myproduct.com, ...).
If that's the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:
session:
cookie:
domain: myproduct.com
It's also possible to restrict the cookie path:
It's very unlikely that you need to change this!
session:
cookie:
path: /some/sub-directory
You can also modify the new HTTP Cookie SameSite Attribute using:
session:
cookie:
same_site: Lax
To change the cookie name use the following configuration:
session:
cookie:
name: your_cookie_name