Skip to main content

Advanced Base URL, CSRF & Session Cookie Settings

This document describes advanced strategies for multi-domain environments and other scenarios.

Base URL​

The public base URL (serve.public.base_url) is used to compute redirect URLs, form action URLs, and more.

Cookies​

Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as possible to use. Therefore it is important to know that

  1. HTTP Cookies ignore ports, meaning the browser will send a cookie it received for http://my-domain.com:1234 to http://my-domain.com:4321 as well.
  2. Subdomains can set HTTP Cookies for parent domains, meaning a HTTP Cookie specifying domain=my-domain.com will be allowed to set even if the URL is http://sub.my-domain.com or http://sub.sub.my-domain.com.

You can adjust the session cookie's domain using:

path/to/kratos/config.yml
# Settings for both anti-CSRF and session cookies
cookies:
  domain: www.cookies.com
  path: /cookies
  same_site: Lax

session:
  cookie:
    # Overrides cookies.domain for session cookies
    domain: my-domain.com

    # Overrides cookies.path for session cookies
    path: /

    # Overrides cookies.samesite for session cookies
    same_site: Strict

What is not currently possible is to set up Ory Kratos in a way where you get session cookies running on two separate top level domains (e.g. my-domain.com and another-domain.com). This is tracked as kratos#662.