The reason your session cookie is not being sent between subdomains is almost always due to the cookie's domain attribute not being set correctly. By default, cookies are only sent to the exact domain that set them. If your application and Ory APIs are running on different subdomains (e.g.,

<http://app.example.com|app.example.com>

and

<http://auth.example.com|auth.example.com>

), the session cookie must be set for the parent domain (e.g.,

<http://example.com|example.com>

) to be shared across all subdomains. If the cookie is set for

<http://auth.example.com|auth.example.com>

, it will not be sent to

<http://app.example.com|app.example.com>

. To allow sharing, you need to configure the session cookie domain to the root domain (e.g.,

<http://example.com|example.com>

). This can be done in Ory Kratos by setting the

session.cookie.domain

configuration option:

yaml session:   cookie:     domain: <http://example.com|example.com>

This ensures the cookie is available to all subdomains of

<http://example.com|example.com>

[Configuring Cookies](https://www.ory.sh/kratos/guides/configuring-cookies). Common pitfalls: - If you do not set the cookie domain, or set it to a subdomain, the browser will not send the cookie to other subdomains. - Cookies cannot be shared across different top-level domains (e.g., between

<http://example.com|example.com>

and

<http://another.com|another.com>

) [Cookie-based security model](https://www.ory.sh/docs/security-model#http-cookies). - For local development, make sure you use the same domain (e.g., always

localhost

or always

127.0.0.1

) [Local development](https://www.ory.sh/docs/getting-started/local-development#local-development). - Some cookies, like the

ory_kratos_continuity

cookie, may not have configurable domains in some Ory versions, which can cause issues in multi-subdomain setups [GitHub Issue #2713](https://github.com/ory/kratos/issues/2713). Error explanation: The error message you received (

No active session was found in this request.

) means the Ory API did not receive a valid session cookie in the request. This is typically because the browser did not send the cookie due to domain mismatch. Summary: To share session cookies between subdomains, set the cookie domain to the parent domain. If you still encounter issues, double-check your configuration and ensure all services are using the correct domain settings [Advanced base URL, CSRF and session cookie settings](https://www.ory.sh/docs/kratos/guides/multi-domain-cookies). If you need more specific troubleshooting, please provide your current cookie configuration and the domains/subdomains involved.

You generally should not use an IP address as the cookie domain. According to the Ory documentation, cookies are domain-based, and the domain attribute should be set to a valid domain name (like

<http://example.com|example.com>

). While technically you can set cookies for an IP address, browsers may not always handle this consistently or securely, and it is not recommended for production use. For local development, you should use

localhost

or

127.0.0.1

consistently across your configuration. Mixing

localhost

and

127.0.0.1

can cause issues because they are treated as different domains by browsers. The Ory documentation specifically notes: > Make sure that you use

127.0.0.1

or

localhost

consistently across your configuration! [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf) For production, always use a proper domain name and set the cookie domain to the parent domain to allow sharing between subdomains. Using an IP address for the cookie domain is not recommended and may not work as expected in all browsers or environments. If you need to develop locally and want cookies to work, use the Ory Tunnel, which allows Ory APIs and your app to share the same domain during development [Ory Tunnel](https://www.ory.sh/docs/cli/ory-tunnel#ory-tunnel).

If you have two subdomains like

<http://login.alpha.qaap.io|login.alpha.qaap.io>

and

<http://core.alpha.qaap.io|core.alpha.qaap.io>

and want to share session cookies between them, you should set the cookie domain to the parent domain:

<http://alpha.qaap.io|alpha.qaap.io>

. This way, cookies set for

<http://alpha.qaap.io|alpha.qaap.io>

will be sent to both subdomains by the browser. How to configure: In Ory Kratos, you would set this in your configuration:

yaml session:   cookie:     domain: <http://alpha.qaap.io|alpha.qaap.io>

This ensures that both

<http://login.alpha.qaap.io|login.alpha.qaap.io>

and

<http://core.alpha.qaap.io|core.alpha.qaap.io>

can access the same session cookie, allowing users to stay authenticated across both subdomains. This approach is supported and recommended for subdomain setups [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies), [Cookie-based security model](https://www.ory.sh/docs/security-model#http-cookies). Important notes: - This will not work across different top-level domains (e.g., between

<http://alpha.qaap.io|alpha.qaap.io>

and

<http://beta.qaap.com|beta.qaap.com>

). - Make sure both services use HTTPS in production, as cookies with the

Secure

flag will not be sent over HTTP. - For Ory Network, when you add a custom domain, the cookie domain is set to the root domain by default, which enables this behavior [Migrate to Ory: Integrate frontend](https://www.ory.sh/docs/migrate-to-ory#integrate-frontend). If you configure the cookie domain as described, users will be able to share sessions between

<http://login.alpha.qaap.io|login.alpha.qaap.io>

and

<http://core.alpha.qaap.io|core.alpha.qaap.io>

.