hello, I have kratos setup and runs well for some weeks until I got csrf mismatch error lately. I did review page https://www.ory.sh/kratos/docs/next/debug/csrf/ and found this content:

We do not recommend running them on separate subdomains, e.g. <https://kratos.my-website/> and <https://secureapp.my-website/>.

Why do you have that recommendation? just currently I set it up like that way. In case I continue with that way, is there any advice for me to get rid of csrf issue? Thanks so much.

The recommendation is a bit outdated. You need to make sure to set the cookie domain correctly. Would you be up to fix the documentation here so it becomes clearer? 🙂

Ok @User, but let I check and resolve our csrf issue first. I'll contact you again if I can reproduce issue