To set cookies with

SameSite=None

in Ory Kratos, you need to configure the

same_site

attribute for the session cookie in your Kratos configuration file. Here’s how you can do it:

yaml session:   cookie:     same_site: None

This configuration should be placed in your

kratos/config.yml

file. Setting

same_site: None

will instruct Ory Kratos to issue cookies with the

SameSite=None

attribute. Important notes: - When using

SameSite=None

, the

Secure

flag must also be set, which means your service must be running over HTTPS. Browsers will reject

SameSite=None

cookies that are not marked as

Secure

. - If you are running in development mode (

--dev

), be aware that cookie behavior may differ, especially regarding the

Secure

flag and

SameSite

handling in browsers like Chrome. For more details, see the official documentation on configuring cookies in Ory Kratos: [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies/)

@chilly-king-10285 what is the default value?

The default value for the session cookie's SameSite attribute in Ory Kratos is Lax. This is shown in multiple configuration examples and documentation references:

yaml session:     cookie:       same_site: Lax

This means that unless you explicitly set it to another value (such as 

None

 or 

Strict

), Ory Kratos will issue cookies with 

SameSite=Lax

 by default [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies/) [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan/).

If you changed the session cookie's SameSite setting in your Ory Kratos configuration to None, but the cookie is still being set with Lax, there are a few possible reasons based on the knowledge sources: 1. HTTPS Requirement: Browsers require that cookies with SameSite=None also have the Secure flag set, and are only sent over HTTPS. If you are running Ory Kratos without HTTPS (for example, in development or with the --dev flag), the browser may ignore the SameSite=None setting and default to Lax or not set the cookie at all [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf/). 2. Development Mode (

--dev

): In --dev mode, Ory Kratos disables SameSite=Lax because Chrome rejects all cookies that have SameSite=Lax but Secure=false. However, this can also affect how SameSite=None is handled. For production, you should run with HTTPS and not use --dev mode [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf/). 3. Configuration Placement: Ensure that you are setting the same_site attribute under the correct section in your configuration file:

yaml    session:      cookie:        same_site: None

If you set it elsewhere, it may not take effect [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies/). 4. Browser Behavior: Some browsers may ignore SameSite=None if the Secure flag is not present, or if there are conflicting cookies for the same domain/path with different SameSite settings. Summary: Double-check that you are running Ory Kratos over HTTPS, not using --dev mode, and that your configuration is correct. If these conditions are not met, the cookie may default to Lax even if you set it to None in your config. If you have confirmed all of the above and it still does not work, the knowledge sources do not provide further troubleshooting steps for this specific issue.

To use 

same_site = None

 for cookies when calling the Ory Kratos login flow, you must ensure the following based on the knowledge sources: 1. Configuration: Set the following in your Kratos configuration:

yaml    session:      cookie:        same_site: None

This will instruct Kratos to set the session cookie with 

SameSite=None

 when a session is created, such as after a successful login [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies/). 2. HTTPS Requirement: Cookies with 

SameSite=None

 must also have the 

Secure

 flag, and browsers will only accept them over HTTPS. If you are running on HTTP (not HTTPS), browsers will ignore 

SameSite=None

 and may default to 

Lax

 or not set the cookie at all [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf/). 3. Flow Behavior: The 

SameSite

 setting applies to all session cookies issued by Kratos, not just login. However, the cookie is only set when a session is created (e.g., after a successful login). If you are calling the login flow but not completing it (not authenticating), no session cookie will be set, and thus you won't see the effect of 

SameSite=None

 [Successful login](https://www.ory.sh/docs/kratos/self-service/flows/user-login/#successful-login). 4. AJAX vs. Browser Flows: The 

SameSite

 attribute is set on the session cookie regardless of whether you use the browser (redirect) flow or the AJAX flow, as long as the session is created and the response includes a 

Set-Cookie

 header [Successful login](https://www.ory.sh/docs/kratos/self-service/flows/user-login/#successful-login). Summary: - The 

same_site

 setting in your config applies to all session cookies, including those set after login. - You must use HTTPS for 

SameSite=None

 to work. - The cookie is only set after a successful login (session creation). - If you are not seeing the cookie with 

SameSite=None

 after login, double-check your HTTPS setup and configuration. If you are seeing the correct behavior after login but not in other flows, that's expected—session cookies are only set when a session is created (typically after login or registration), not when simply initializing a flow. If you need the 

SameSite=None

 cookie to be set at other points, the knowledge sources do not provide information on customizing this behavior beyond the session cookie configuration.