Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello. I'm curious about how Kratos implements cookies. If I have 2 kratos instances living on the same domain, can I submit a cookie issued by one Kratos instance to a second Kratos instance and have it be honored? Thinking about a situation where I've got 2 kratos instances deployed on different paths.

That should work, as long as both instances share the same cookie secrets and the same cookie name configuration.

<@U03RSG5ST1Q> So if they do not share the same cookie secrets, it will not be possible to log into both? To be clear I do NOT want users to be able to log into both with the same cookies.

You can control the name of the cookie via `cookie.name` and give each instance a distinct name. Then, during the whoami call, each instance will "pick" their own cookie and validate only that, ignoring the other cookie entirely.

If a malicious user changed the name of the cookie somehow, would they be able to log into the "wrong" instance that way though?