When working with cookies, keep the following in mind:
- HTTP Cookies are not port specific. If a cookie is set on
https://mydomain.com:1234it is also valid for
--devis set, Ory Kratos' cookies are only sent over HTTPS.
- Cookies in Ory Kratos are always
- It is possible to set a cookie for
mydomain.comwhen the original request was made to
subdomain.mydomain.com. It is however not possible to set a cookie for
anotherdomain.comwhen the original request was made to
mydomain.com. See also this answer on StackOverflow.
Ory Kratos uses pass-by-value cookies whose values are encrypted using the
secrets.cookie secrets. If these secrets are changed
without doing proper secret / key rotation, all cookies
will be invalid which will cause users to be signed out, and other side effects.
CloudRun, Heroku, and other "serverless" solutions commonly expose services
directly to the public, and do not allow for fronting by a gateway or reverse
proxy. In those cases, your application architecture may separate services by
If that is the case you can change the session cookie domain and path using the following configuration keys in your Ory Kratos configuration:
It is also possible to restrict the cookie path:
It is very unlikely that you need to change this!
You can also modify the new HTTP Cookie SameSite Attribute using: