Skip to main content

Advanced base URL, CSRF & session cookie settings

This document describes advanced strategies for multi-domain environments and other scenarios.

Base URL

The public base URL (serve.public.base_url) is used to compute redirect URLs, form action URLs, and more.

Cookies

Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as possible to use. Therefore it is important to know that

  1. HTTP Cookies ignore ports, meaning the browser will send a cookie it received for http://my-domain.com:1234 to http://my-domain.com:4321 as well.
  2. Subdomains can set HTTP Cookies for parent domains, meaning a HTTP Cookie specifying domain=my-domain.com will be allowed to set even if the URL is http://sub.my-domain.com or http://sub.sub.my-domain.com.

You can adjust the session cookie's domain using:

path/to/kratos/config.yml
# Settings for both anti-CSRF and session cookies
cookies:
domain: www.cookies.com
path: /cookies
same_site: Lax

session:
cookie:
# Overrides cookies.domain for session cookies
domain: my-domain.com

# Overrides cookies.path for session cookies
path: /

# Overrides cookies.samesite for session cookies
same_site: Strict

At the moment it isn't possible to set up Ory Kratos in a way where you get session cookies running on two separate top level domains (for example my-domain.com and another-domain.com). This is tracked as kratos#662.