Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hm, it’s probably a bit incorrect. It definitely works when you use the `domain` setting in the config. So it can work, you just need to ensure to set the config. Maybe you could clarify that in the docs? That would be awesome!

Cheers thanks alot for such a quick response! The domain setting you are referring to would be `session.cookie.domain`  right? And if thats the case if the value is something like `<http://somedomain.com|somedomain.com>` then all the subdomains under it should work?

Would you be open to contribute this to the docs? If not it’s also enough to open an issue (but PR would be preferred :slightly_smiling_face: )

Sure I will check to see if i can make the PR, if not ill open it as an issue on the github repo!

Sorry to come back to this thread again but may I know what are the main reasons as to why the warning regarding usage of subdomain was there in the first place?

because we did not have domain configs before

Ahh i see thanks. Does it make sense then for that warning to be removed? If so i can make a PR for the change to the docs?