https://www.ory.sh/ logo
Join Slack
Powered by
Anyone was able to configure cookie for main domai...
# talk-kratos
h
Anyone was able to configure cookie for main domain?
b
I am having similar issues with this. I was able to do same changes to the configuration as you and the browser has set cookies to domain ".mydomain.tld" and the path is / I am using react frontend code and it works if I run the same code in the auth.mydomain.tld (which is the login etc) but when using the app.mydomain.tld the ory/client is not sending the cookies. I have something like htis:
Copy code
const kratosConfig = new Configuration({
    basePath: process.env.REACT_APP_KRATOS_PUBLIC_URL ?? '<http://auth.mydomain.tld/kratos>',
    baseOptions: {
        withCredentials: true
    }
})
Using kratos v1.0.0
Using ory/client 1.1.41
If I take cookie from that page and put it in the curl command, kratos will return correct json. So how do I make sure that the ory/client will include the cookie with the request?
This is a development version, so I am not using https
This is how kratos sets the cookie on my dev machine (in auth.mydomain.internal)
Copy code
Set-Cookie: ory_kratos_session=MTY5MTA2N...; Path=/; Domain=mydomain.internal; Expires=Fri, 04 Aug 2023 13:00:26 GMT; Max-Age=86399; HttpOnly; SameSite=Lax
And when using the http://app.mydomain.internal the cookie is not sent to kratos, but if I am using http://auth.mydomain.internal it is sent Kratos lives behind proxy in http://auth.mydomain.internal/kratos/ ...
Interesting! It seems that it is working on a chrome but not on safari
h
In my case it's: 
Set-cookie: ory_kratos_session=MTY5MTEzMDU0N3...; Max-Age=86399; Path=/; Expires=Sat, 05 Aug 2023 06:29:06 GMT; HttpOnly; Secure; SameSite=Lax
no domain set
Interesting: Kratos log shows the right domain:
Copy code
kratos-kratos-1  | time=2023-08-04T06:29:07Z level=info msg=completed handling request func=<http://github.com/ory/x/reqlog.(*Middleware).ServeHTTP|github.com/ory/x/reqlog.(*Middleware).ServeHTTP> file=/go/pkg/mod/github.com/ory/x@v0.0.562/reqlog/middleware.go:146 http_request=map[headers:map[accept:application/json, text/plain, */* accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 connection:close content-type:application/json cookie:[csrf_token_3a88daad3c0e974b47be0ab7c2d6246393e9f967f9de769e75d37c032a3db269=fQyVyEjWEIt604FCkkVOK+W4Jdz4ekWg7vsfCKSPz4g=] ory-base-url-rewrite:false ory-no-custom-domain-redirect:true referer:<https://accounts.my-domain.com/login?flow=8b3ac117-ac77-408f-9f27-36a4051d32d4> user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 x-forwarded-host:<http://accounts.my-domain.com|accounts.my-domain.com> x-ory-base-url-rewrite:false] host:kratos:4433 method:POST path:/self-service/login query:flow=8b3ac117-ac77-408f-9f27-36a4051d32d4 remote:... scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 set-cookie:[csrf_token_3a88daad3c0e974b47be0ab7c2d6246393e9f967f9de769e75d37c032a3db269=zvcVPB73v3dGvd1shV+zkWRY7pqOujSi3aimCOmSw1s=; Path=/; Domain=<http://my-domain.com|my-domain.com>; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax ory_kratos_session=MTY5MTEz...; Path=/; Domain=<http://my-domain.com|my-domain.com>; Expires=Sat, 05 Aug 2023 06:29:06 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Lax] vary:Origin] size:1332 status:200 text_status:OK took:407.756774ms]'
It looks like something is wrong with next.js implementation
b
For my problem, I should try to test if it works if I use https connection but the dev environment is in http (no production env yet) to see if that will fix safari
Interesting that domain is not set for you as it is for me
h
Found the issue!
kratos-selfservice-ui-react-nextjs is using ory/integrations to proxy requests to kratos.
I had option set to true:
it was responsibe for overriding the domain from kratos response
b
can you show me the code you did for that change?
h
b
thanks!
hmm,.. wonder is that something I should look into or is safari just too security focused that it is not working over http but requires https ... I don't know!
h
Safari may not work on non-secure cookie
b
Interesting... Stackoverflow: "The settings for the cookie did not matter for our iOS application, but for our website we had several hurdles. To get it to work on the desktop website browsers and android we had to set the cookie to secure and httpOnly. However, for iOS mobile browsers the cookie was failing to set. The issue was because mobile browsers on iOS only use first-party cookies. I had to add a CNAME for our API server which was a subdomain of our website and direct API calls to that CNAME. Then, in our API had to specify the domain for the cookie (which you must do explicitly for sub domains to be allowed in the cookie). This resolved it." https://stackoverflow.com/questions/58525719/safari-not-sending-cookie-even-after-setting-samesite-none-secure
Let's see if there is a workaround for this
".local" TLD is unknown, and this might cause this. Ok, so maybe I have to change the tld... trying that now!
Yes!!!
That worked.. WHen changing my .internal TLD to .fi TLD I was able to make everything work with Safari too!
so instead of mydomain.internal my address is now dev.mydomain.fi (I own the mydomain.fi domain so it is quite safe for me)
So if local development and subdomains for cookies is not working on Safari, but is working on Chrome then the settings are correct most likely in kratos and your app. But if you are using a non-standard tld like (internal or local) then Safari will not work correctly with SameSite=Lax cookie setting. Even though this is not Kratos related issue, I think this might be something to add as a note to somewhere. For example if you have auth.mydomain.internal and app.mydomain.internal, then app.mydomain.internal is not sending correct cookies to auth.mydomain.internal even if you have specified in the kratos that cookie domain is mydomain.internal. This will work for Chrome, but for safari it is not. For it to work on Safari, you need to change .internal to some known tld. for example mydomain.com or some other domain that you have access to for example so that it will have as little as possible problems with real world. Maybe something like local.mydomain.tld format would be good for generic solution for all devs using mydomain.tld 🙂
26 Views
Open in Slack
PreviousNext
Powered by