Advanced base URL, CSRF & session cookie settings
This document describes advanced strategies for multi-domain environments and other scenarios.
Base URL
The public base URL (serve.public.base_url) is used to compute redirect URLs, form action URLs, and more.
Cookies
Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as possible to use. Therefore it is important to know that
- HTTP Cookies ignore ports, meaning the browser
will send a cookie it received for
http://my-domain.com:1234tohttp://my-domain.com:4321as well. - Subdomains can set HTTP Cookies for parent domains,
meaning a HTTP Cookie specifying
domain=my-domain.comwill be allowed to set even if the URL ishttp://sub.my-domain.comorhttp://sub.sub.my-domain.com.
You can adjust the session cookie's domain using:
path/to/kratos/config.yml
# Settings for both anti-CSRF and session cookies
cookies:
domain: www.cookies.com
path: /cookies
same_site: Lax
session:
cookie:
# Overrides cookies.domain for session cookies
domain: my-domain.com
# Overrides cookies.path for session cookies
path: /
# Overrides cookies.samesite for session cookies
same_site: Strict
At the moment it isn't possible to set up Ory Kratos in a way where you get session cookies running on two separate top level
domains (for example my-domain.com and another-domain.com). This is tracked as
kratos#662.