The error message: > "code:400 debugsecurecookie the value is not valid message:no resumable session found reason:The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again! status:Bad Request" indicates that Ory is unable to find the required session cookie in the browser to resume the authentication or self-service flow. This is a common issue related to how cookies are set, scoped, and sent between your browser and the Ory backend. Here are the most likely causes and solutions based on the knowledge sources: ### 1. Cookie Domain and Path Issues Cookies must be set for the correct domain and path. If your Ory instance and your application are on different domains or subdomains, or if the cookie domain is not configured properly, the browser may not send the required cookie back to Ory. For example, if Ory is running on a subdomain and the cookie is not set for the root domain, it may not be accessible across your apps. You can configure the cookie domain in your Ory Kratos configuration:

yaml session:   cookie:     domain: <http://myproduct.com|myproduct.com>

[Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies) ### 2. Mixing Domains (e.g., 127.0.0.1 vs. localhost) Using different hostnames (like

127.0.0.1

and

localhost

) in your flow can cause cookies to be set for one but not sent to the other. Make sure you use the same domain consistently throughout your flow [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf). ### 3. Public Suffix Domains If you are using a domain that is on the [public suffix list](https://publicsuffix.org/), cookies cannot be set for the root domain, which can cause this error. Use a subdomain that is not on the PSL [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf). ### 4. Browser Privacy Settings Strict privacy settings or certain browsers (like Brave in "No-Tracking" mode) may block or clear cookies, leading to this error [OAuth2 logout not working](https://www.ory.sh/docs/hydra/debug/logout). ### 5. Clearing Cookies and Cache As the error message suggests, sometimes cookies can become invalid or corrupted. Clearing your browser's cookies and cache and trying again can resolve the issue. ### 6. OIDC and Continuity Cookie If you are using OIDC, the

ory_kratos_continuity

cookie must be accessible to Ory after the redirect from the OIDC provider. If it's set for the wrong domain, Ory cannot resume the session, resulting in this error. There is an open issue about making the continuity cookie domain configurable for such scenarios [Github Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713). --- Summary of steps to resolve: - Ensure Ory and your app are on the same domain or properly configured subdomains. - Set the correct cookie domain in your Ory configuration. - Use the same hostname throughout your flow. - Avoid using public suffix domains for cookies. - Clear your browser cookies and cache. - Check browser privacy settings. If you continue to experience issues after these steps, please provide more details about your deployment setup (domains, subdomains, OIDC usage, etc.) for more targeted troubleshooting.

The intermittent nature of the error: > code:400 debugsecurecookie the value is not valid message:no resumable session found reason: error suggests that sometimes the required session or continuity cookie is missing or invalid when Ory tries to resume a flow. Based on the knowledge sources, here are the most likely causes for this intermittent behavior: 1. Inconsistent Domain Usage If your application and Ory are accessed via different domains or subdomains (including differences like

localhost

vs

127.0.0.1

), cookies may not be sent consistently. This can cause the session to be resumable only sometimes, depending on which domain was used in each step of the flow. Consistently use the same domain throughout your flow and configure the cookie domain appropriately in Ory Kratos or Hydra config files [Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies) [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf). 2. Browser Privacy or Security Settings Some browsers (e.g., Brave, Safari with ITP) or privacy modes may block or clear cookies intermittently, especially in incognito/private windows or with strict privacy settings. This can lead to cookies being present sometimes and missing at other times, causing intermittent errors [OAuth2 logout not working](https://www.ory.sh/docs/hydra/debug/logout). 3. Public Suffix List Domains If you are using a domain on the public suffix list, cookies may not be set or sent reliably, leading to intermittent failures. Use subdomains not on the PSL [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf). 4. Race Conditions or Multiple Flows Running multiple OAuth2/self-service flows in parallel in the same browser can cause cookies to be overwritten or lost, resulting in intermittent "no resumable session found" errors [CSRF troubleshooting for OAuth2](https://www.ory.sh/docs/troubleshooting/csrf#ory-oauth2). 5. Reverse Proxies or Load Balancers If you are running Ory behind a reverse proxy or load balancer, ensure that the

Cookie

header is not being stripped or altered, as this can cause cookies to be lost intermittently [Common CSRF pitfalls](https://www.ory.sh/docs/self-hosted/hydra/debug/csrf). 6. OIDC Continuity Cookie Domain For OIDC flows, if the

ory_kratos_continuity

cookie is not set for the correct domain, it may not be available after redirects, causing intermittent failures depending on the flow path [Github Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713). What you can do: - Ensure consistent domain usage and correct cookie domain configuration. - Avoid running multiple flows in parallel in the same browser. - Check for browser privacy settings or extensions that may interfere with cookies. - If using OIDC, be aware of the continuity cookie domain issue. - If behind a proxy, ensure cookies are forwarded correctly. If the problem persists, try to reproduce the issue with detailed logs and consistent browser usage to narrow down the cause. If you need more targeted help, please provide details about your deployment, domains, and flow setup. If you need more information, the knowledge sources do not provide further details on debugging intermittent cookie/session issues.

The "continuity cookie domain issue" refers to a limitation in Ory Kratos where the domain for the

ory_kratos_continuity

cookie cannot be configured, unlike other cookies such as the session cookie. This can cause problems in multi-domain or subdomain setups, especially when using OIDC (OpenID Connect) flows. What happens: When you initiate an OIDC flow, Kratos sets the

ory_kratos_continuity

cookie to keep track of the flow state. If Kratos is running on a subdomain (e.g.,

<http://auth.example.com|auth.example.com>

) and your application is on another subdomain or the root domain (e.g.,

<http://app.example.com|app.example.com>

or

<http://example.com|example.com>

), the continuity cookie may be set for the subdomain only. After the user is redirected back from the OIDC provider, Kratos may not be able to access the cookie if the domain does not match, resulting in errors like "no resumable session found" or "the browser does not contain the necessary cookie to resume the session" [Github Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713). Why is this a problem? - You can configure the domain for session and CSRF cookies, but not for the continuity cookie. - In setups with multiple subdomains or services, this means the continuity cookie might not be available where it's needed, breaking the flow after OIDC redirects. - This is especially problematic in architectures where Kratos is behind a gateway or accessed from multiple subdomains. Community feedback: Users have requested the ability to configure the domain for the continuity cookie, just like other cookies, to allow it to be set at the root domain and be accessible across subdomains. This would solve issues in multi-subdomain environments and make OIDC flows more robust. Current status: As of the latest information in the knowledge sources, this is a known issue and has been acknowledged by the Ory team, but there is no built-in solution yet. The workaround is limited, and the problem remains for complex multi-domain setups [Github Issue: ory_kratos_continuity cookie has no domain set](https://github.com/ory/kratos/issues/2713). If you are running into this issue, you are not alone, and the Ory team is aware of the need for a configurable continuity cookie domain.