Yes, it is possible to set the

SameSite

attribute of the CSRF cookie to

None

in Ory. This can be done by setting the

serve.cookies.same_site_mode

configuration value to

None

. Here is an example of how to do this:

yaml serve:     cookies:       same_site_mode: None

However, please note that some [browser versions](https://www.chromium.org/updates/same-site/incompatible-clients) reject cookies using the

Same-Site=None

attribute. Ory implements a [workaround](https://web.dev/samesite-cookie-recipes/#handling-incompatible-clients) that can be enabled by setting

serve.cookies.same_site_legacy_workaround

to

true

. This workaround is disabled by default, and only takes effect when

serve.cookies.same_site_mode

is set to

None

.

yaml # SameSite=none requires HTTPS, so we need to disable dev mode:   dev: false      serve:     cookies:       same_site_mode: None       same_site_legacy_workaround: true

Please note that the

SameSite=None

attribute requires the

secure

flag to be set, and the site to be served over HTTPS. If you are running a version of Ory Hydra 1.6 and below and experience issues with this, make sure to not use the

--dev

flag and set the

serve.cookies.same_site_mode

or the

SERVE_COOKIES_SAME_SITE_MODE

environment variable to

Lax

. This happens automatically for Ory Hydra v1.7.0 when running in HTTP mode. Sources: - [Configuring cookies](https://www.ory.sh/docs/hydra/guides/cookies) - [Same-site in Chrome](https://www.ory.sh/docs/self-hosted/hydra/debug/csrf#same-site-in-chrome)

@chilly-king-10285 where to write serve: cookies: same_site_mode: None using ory console

The configuration you're referring to is typically written in the Ory configuration file, not through the console. This file is usually named

config.yml

or

kratos.yml

and is located in the directory where you've installed Ory. Here's an example of how you might set the

same_site_mode

to

None

in the configuration file:

yaml serve:     cookies:       same_site_mode: None

Please note that the exact location and name of the configuration file can vary depending on your specific setup and installation method. If you're using Docker, you might pass these configurations as environment variables instead. In that case, the equivalent environment variable would be

SERVE_COOKIES_SAME_SITE_MODE

. Remember to restart the Ory service after making changes to the configuration for them to take effect. Sources: - [Configuring cookies](https://www.ory.sh/docs/hydra/guides/cookies) - [Same-site in Chrome](https://www.ory.sh/docs/self-hosted/hydra/debug/csrf#same-site-in-chrome) - [Advanced base URL, CSRF and session cookie settings](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies)

It seems like you're trying to use the Ory client with a Next.js and React application, and you're looking for guidance on how to set the

SameSite

attribute for cookies. The Ory client itself doesn't directly control the

SameSite

attribute of cookies. This is typically controlled on the server-side, in the Ory configuration file as mentioned in the previous responses. However, if you're working with a front-end application and making requests to the Ory server, you need to ensure that your requests include credentials. This can be done by setting

credentials: 'include'

in your fetch requests or by setting

withCredentials: true

in the Ory JavaScript / TypeScript SDK configuration. Here's how you can do it: Using the Ory JavaScript / TypeScript SDK:

javascript import { FrontendApi, Configuration } from "@ory/client"      const ory = new FrontendApi(     new Configuration({       basePath,       baseOptions: {         // Ensures we send cookies in the CORS requests.         withCredentials: true,       },     }),   )

Using the Browser's Fetch API:

javascript fetch("<https://ory.your-custom-domain.com/>", {     credentials: "include",   })

Remember, these settings are necessary for the browser to send cookies along with your requests to the Ory server. Source: [Same top-level domain](https://www.ory.sh/docs/security-model#same-top-level-domain)

Yes, the Ory client can be used with a React application to interact with Ory Kratos. Ory Kratos is an open-source identity and access management service provided by Ory. It provides APIs for handling user registration, login, account recovery, and more. The Ory client is a JavaScript / TypeScript SDK that can be used to interact with these APIs. It can be installed in a React application using npm:

bash npm i --save @ory/client

Once installed, you can use it to make requests to the Ory Kratos server. Here's an example of how you might create an instance of the Ory client in a React application:

javascript import { Configuration, PublicApi } from '@ory/kratos-client'  const configuration = new Configuration({ basePath: '<http://path-to-your-kratos-instance>' }) const kratos = new PublicApi(configuration)

In this example,

PublicApi

is a class provided by the Ory client that includes methods for interacting with the public-facing APIs of Ory Kratos. Sources: - [Integrate Authentication into React](https://www.ory.sh/docs/getting-started/integrate-auth/react) - [Software Development Kit (SDK)](https://www.ory.sh/docs/kratos/sdk/overview) - [Custom user interface with Ory Elements](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-ory-elements)

The

@ory/client

and

@ory/kratos-client

are both JavaScript / TypeScript SDKs provided by Ory. They are used to interact with the APIs provided by Ory services. The

@ory/kratos-client

is specifically designed to interact with the Ory Kratos service, which is an open-source identity and access management service. It provides methods for handling user registration, login, account recovery, and more. On the other hand,

@ory/client

is a more general SDK that can be used to interact with multiple Ory services. It's not limited to just Ory Kratos. In general, if you're only interacting with Ory Kratos, you might prefer to use

@ory/kratos-client

for its specific focus on that service. If you're interacting with multiple Ory services,

@ory/client

might be a better choice for its broader scope. Sources: - [Software Development Kit (SDK)](https://www.ory.sh/docs/kratos/sdk/overview) - [Ory Kratos SDKs GitHub repository](https://github.com/ory/sdk/tree/master/clients/kratos/) - [Ory Kratos Client on npm](https://www.npmjs.com/package/@ory/kratos-client)

Yes, the sample provided by Ory for Next.js and React.js applications, which uses

@ory/client

, is indeed based on Ory Kratos. The

@ory/client

is used to interact with the Ory Kratos APIs for handling user registration, login, account recovery, and more. The sample application demonstrates how to integrate Ory Kratos into a Next.js and React.js application using the

@ory/client

SDK. It provides examples of how to use the SDK to interact with the Ory Kratos service and handle various aspects of user management. You can find the sample application here: [Ory Kratos Next.js and React Example](https://github.com/ory/kratos-nextjs-react-example) Sources: - [Integrate Authentication into Next.js](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs) - [Custom user interface with Ory Elements](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-ory-elements)