Ory Kratos primarily uses two types of cookies: 1. Session Cookies: These are used to maintain user sessions. The session cookie's domain, path, and other attributes can be configured in the Ory Kratos configuration file. An example of a session cookie is

ory_kratos_session

. The value of this cookie is encrypted using the

secrets.default

/

secrets.cookie

secrets. If these secrets are changed without proper secret/key rotation, all cookies will be invalidated, causing users to be signed out and other side effects.

yaml     session:         cookie:           domain: <http://myproduct.com|myproduct.com>

2. CSRF Cookies: These are used to mitigate common attack vectors. The CSRF cookie's domain, path, and other attributes can also be configured in the Ory Kratos configuration file. An example of a CSRF cookie is

csrf_token

.

yaml     cookies:         domain: <http://www.cookies.com|www.cookies.com>         path: /cookies         same_site: Lax

Please note that all cookies in Ory Kratos are always

httpOnly

and unless

--dev

is set, they are only sent over HTTPS. For more details, you can refer to the [Ory Kratos Cookie Configuration Guide](https://www.ory.sh/docs/kratos/guides/configuring-cookies) and the [Ory Kratos API Reference](https://www.ory.sh/docs/kratos/reference/api).