To change the session cookie's SameSite attribute to

None

with

secure=true

, you need to update your configuration as follows: For Ory Kratos, you would set in your config file:

yaml session:   cookie:     same_site: None     # secure is true by default unless --dev is set

For Ory Hydra, you would use:

yaml serve:   cookies:     same_site_mode: None     # secure is true by default unless dev: true is set

Important notes: - The

SameSite=None

attribute requires the

Secure

flag to be set, which means cookies will only be sent over HTTPS. This is enforced by modern browsers. - You must not run in

--dev

mode, as that disables the

Secure

flag. Make sure your deployment is using HTTPS and not in development mode. - If you need to support older browsers that do not handle

SameSite=None

correctly, you can enable the legacy workaround in Hydra with

same_site_legacy_workaround: true

(only relevant if you are using Hydra) [Configuring cookies in Hydra](https://www.ory.sh/docs/hydra/guides/cookies). Example for Hydra:

yaml dev: false  serve:   cookies:     same_site_mode: None     same_site_legacy_workaround: true

Example for Kratos:

yaml session:   cookie:     same_site: None

Make sure your service is running over HTTPS and not in development mode to ensure the

Secure

flag is set [Kratos CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf) [Hydra CSRF pitfalls](https://www.ory.sh/docs/self-hosted/hydra/debug/csrf). If you follow these steps, your session cookies will be set with

SameSite=None; Secure

.

@chilly-king-10285 How can I do it with cli tool?

To change the session cookie's SameSite attribute to

None

with

secure=true

using the Ory CLI, you need to patch your project's configuration. For Ory Kratos (Ory Identities), you can use the following CLI command:

sh ory patch identity-config --project <project-id> --workspace <workspace-id> \   --replace '/session/cookie/same_site="None"'

For Ory Hydra (Ory OAuth2 & OpenID), use:

sh ory patch oauth2-config --project <project-id> --workspace <workspace-id> \   --replace '/serve/cookies/same_site_mode="None"'

Notes: - The

secure

flag is enabled by default unless you are running in development mode. - Make sure your deployment is not in

--dev

mode and is using HTTPS, as

SameSite=None

requires

Secure=true

 [Configuring cookies in Hydra](https://www.ory.sh/docs/hydra/guides/cookies) [Kratos CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf). - Replace

<project-id>

and

<workspace-id>

with your actual project and workspace IDs. You can find more about patching configuration with the CLI in the official documentation [Configure projects with Ory CLI](https://www.ory.sh/docs/guides/cli/config-with-cli).