Advanced base URL, CSRF and session cookie settings
This document describes advanced strategies for multi-domain environments and other scenarios.
Base URL
The public base URL (serve.public.base_url) is used to compute redirect URLs, form action URLs, and more.
Cookies
Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as possible to use. Therefore it is important to know that
- HTTP Cookies ignore ports, meaning the browser
will send a cookie it received for http://my-domain.com:1234tohttp://my-domain.com:4321as well.
- Subdomains can set HTTP Cookies for parent domains,
meaning a HTTP Cookie specifying domain=my-domain.comwill be allowed to set even if the URL ishttp://sub.my-domain.comorhttp://sub.sub.my-domain.com.
You can adjust the session cookie's domain using:
# Settings for both anti-CSRF and session cookies
cookies:
  domain: www.cookies.com
  path: /cookies
  same_site: Lax
session:
  cookie:
    # Overrides cookies.domain for session cookies
    domain: my-domain.com
    # Overrides cookies.path for session cookies
    path: /
    # Overrides cookies.samesite for session cookies
    same_site: Strict
Seting up Ory Kratos in a way where you get session cookies running on two separate top level domains (for example my-domain.com
and another-domain.com) is supported only on Ory Network or Ory Kratos Enterprise through the
Multibrand feature.