Based on the provided knowledge sources, I can offer some insights about changing the SameSite attribute for session cookies in Ory, particularly when dealing with multiple apps on different servers but the same domain. Changing the SameSite attribute to 'None' can be done, but it comes with some security considerations: 1. Security implications: Setting SameSite to 'None' makes the cookie available in cross-site contexts, which can potentially expose it to certain types of attacks, such as CSRF (Cross-Site Request Forgery). 2. HTTPS requirement: When setting SameSite to 'None', the cookie must also have the 'Secure' flag set, which means it will only be sent over HTTPS connections. This is a requirement in modern browsers, especially Chrome, as mentioned in the [Ory Hydra debug documentation](https://www.ory.sh/docs/self-hosted/hydra/debug/csrf#same-site-in-chrome). 3. Browser compatibility: Some older browser versions may not support or may reject cookies with SameSite=None. The [Kratos CSRF troubleshooting guide](https://www.ory.sh/docs/kratos/debug/csrf) mentions a workaround for this, which can be enabled in the configuration. 4. Alternative approaches: Instead of setting SameSite to 'None', you might want to consider other options. For instance, the [Kratos cookie configuration guide](https://www.ory.sh/docs/kratos/guides/configuring-cookies) suggests that you can set the cookie domain to a parent domain that encompasses all your subdomains. This might be a more secure approach if your apps are on subdomains of the same parent domain. 5. Multiple domains: If your apps are truly on different top-level domains (not just subdomains), setting SameSite to 'None' might be necessary. However, be aware that users will need to authenticate separately on each domain due to browser security restrictions, as explained in the [Ory multi-domain documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains). In conclusion, while it's possible to set SameSite to 'None' for your session cookies, it's not always the safest option. You should carefully consider the security implications and explore alternative approaches that might better suit your specific setup while maintaining a high level of security. If you do decide to use SameSite=None, ensure that you're using HTTPS and be aware of potential browser compatibility issues.