Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, I'm having some difficulties with Kratos cookies. I have my website <http://foo.test.myproduct.com|foo.test.myproduct.com>, an api running on <http://api.test.myproduct.com|api.test.myproduct.com>, and Kratos running on <http://auth-foo.test.myproduct.com|auth-foo.test.myproduct.com>. The cookies are only being sent to <http://auth-foo.test.myproduct.com|auth-foo.test.myproduct.com>, and are not visible in dev-tools for <http://foo.test.myproduct.com|foo.test.myproduct.com>. As such, they are never sent to <http://api.test.myproduct.com|api.test.myproduct.com>.

I have cookies configured like so in kratos.yml
```cookies:
  path: /
  same_site: Strict
  domain: <https://foo.test.dermloop.io>```
Does anyone have experience with configuring cookies for a situation like this?

Thanks! :slightly_smiling_face:

The solution was to set the domain to <http://api.test.myproduction.com|api.test.myproduction.com>, and remove https. In case anyone else in future should experience this issue.