To set cookies for other subdomains using Ory Kratos, you need to configure the session cookie's domain in your Ory Kratos configuration. Here's how you can do it:

yaml session:     cookie:       domain: <http://mydomain.com|mydomain.com>

In this configuration,

<http://mydomain.com|mydomain.com>

is the domain you want to set the cookie for. This configuration allows cookies to be set for

<http://mydomain.com|mydomain.com>

even when the original request was made to

<http://subdomain.mydomain.com|subdomain.mydomain.com>

. However, it's not possible to set a cookie for

<http://anotherdomain.com|anotherdomain.com>

when the original request was made to

<http://mydomain.com|mydomain.com>

[[source](https://www.ory.sh/docs/kratos/guides/configuring-cookies)]. Please note that Ory and your UI must be hosted on the same top-level domain. You can't host Ory and your UI on separate top-level domains. For example,

<http://ory.bar.com|ory.bar.com>

and

<http://app.bar.com|app.bar.com>

will work;

<http://ory.bar.com|ory.bar.com>

and

<http://bar.com|bar.com>

will work; but

<http://ory.bar.com|ory.bar.com>

and

<http://not-bar.com|not-bar.com>

will not work [[source](https://www.ory.sh/docs/kratos/self-service/flows/user-login#initialize-login-flow)]. Also, keep in mind that cookies in Ory Kratos are always

httpOnly

and unless

--dev

is set, Ory Kratos' cookies are only sent over HTTPS [[source](https://www.ory.sh/docs/kratos/guides/configuring-cookies)]. For more detailed information on configuring cookies with Ory Kratos, you can refer to the [official documentation](https://www.ory.sh/docs/kratos/guides/configuring-cookies).

To set cookies for a specific subdomain using Ory Kratos, you can specify the subdomain in the

domain

field of the session cookie configuration. Here's how you can do it:

yaml session:     cookie:       domain: <http://sub.mydomain.com|sub.mydomain.com>

In this configuration,

<http://sub.mydomain.com|sub.mydomain.com>

is the subdomain you want to set the cookie for. This configuration allows cookies to be set for

<http://sub.mydomain.com|sub.mydomain.com>

specifically, not for the parent domain

<http://mydomain.com|mydomain.com>

[[source](https://www.ory.sh/docs/kratos/guides/configuring-cookies)]. Please note that cookies in Ory Kratos are always

httpOnly

and unless

--dev

is set, Ory Kratos' cookies are only sent over HTTPS [[source](https://www.ory.sh/docs/kratos/guides/configuring-cookies)]. For more detailed information on configuring cookies with Ory Kratos, you can refer to the [official documentation](https://www.ory.sh/docs/kratos/guides/configuring-cookies).

Currently, Ory Kratos does not support setting session cookies across multiple top-level domains. This means you cannot set up Ory Kratos in a way where you get session cookies running on two separate top-level domains (for example

<http://my-domain.com|my-domain.com>

and

<http://another-domain.com|another-domain.com>

). This limitation is tracked in the Ory Kratos GitHub issue [kratos#662](https://github.com/ory/kratos/issues/662) [[source](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies)]. However, you can set cookies for subdomains of the same top-level domain. For example, if you have

<http://service1.myproduct.com|service1.myproduct.com>

,

<http://service2.myproduct.com|service2.myproduct.com>

,

<http://service3.myproduct.com|service3.myproduct.com>

, you can set the session cookie's domain to

<http://myproduct.com|myproduct.com>

to allow the cookie to be available across these subdomains [[source](https://www.ory.sh/docs/kratos/guides/configuring-cookies#session-cookies)]. For more detailed information on configuring cookies with Ory Kratos, you can refer to the [official documentation](https://www.ory.sh/docs/kratos/guides/configuring-cookies).

As of now, there is no direct workaround to set session cookies across multiple top-level domains in Ory Kratos. The limitation is due to the nature of cookies themselves, as they are designed to be domain-specific for security reasons. However, you might consider the following alternatives: 1. Reverse Proxy: You could set up a reverse proxy that routes requests to the appropriate service based on the path or some other part of the request. This way, all services appear to be on the same domain as far as the client is concerned. 2. Centralized Login Domain: Another common approach is to have a centralized login domain (e.g.,

<http://login.myproduct.com|login.myproduct.com>

) where all authentication happens. After successful authentication, users are redirected back to the appropriate service with some sort of token that the service can use to establish a session. 3. Third-Party Cookies: Another approach is to use third-party cookies. However, this approach is becoming less viable as many modern browsers block third-party cookies by default due to privacy concerns. Please note that these are general suggestions and might require additional security considerations. Always ensure to follow best practices for authentication and session management. For more detailed information on configuring cookies with Ory Kratos, you can refer to the [official documentation](https://www.ory.sh/docs/kratos/guides/configuring-cookies).

If you want to set your own custom cookies, you can use the

cookie

mutator in Ory Oathkeeper. This mutator allows you to pass the credentials to the upstream application via cookies. Here's an example of how you can configure it:

yaml mutators:     cookie:       enabled: true       config:         cookies:           user: "{{ print .Subject }}",           some-arbitrary-data: "{{ print .Extra.some.arbitrary.data }}"

In this configuration,

user

and

some-arbitrary-data

are the names of the cookies to be added to the request. The values of these cookies are determined by the Go

text/template

package for value substitution, receiving the

AuthenticationSession

struct [[source](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#cookie)]. Please note that this configuration is for Ory Oathkeeper, not Ory Kratos. Ory Kratos does not currently support setting custom cookies directly. If you need to set custom cookies in your application, you might need to handle it in your application code or use a reverse proxy.