Hey, I'm having an issue with cookies and CSRF. I know cookies should not be port specific, but whenever a request is send to

<http://localhost:3000>

my csrf (and other)cookies are included, but requests to kratos on

<http://localhost/auth/public/xxx>

do not contain the cookies. Does anyone have experience with this?

cookies and localhost are a bag of trouble: https://ireadyoulearn.info/2022/01/16/set-cookies-on-localhost/ it's so much trouble and pain during development and testing phase that I advise people to disregard tutorials using localhost and just go with real tls and hosts in /etc/hosts, it's crazy that people inflict this pain on themselves when it's all very simple in production with real tls, just do real tls from get go

Alright, thanks

if you control the dns for the domain you work with, you can do this to have real LE certs that your browser is going to be happy with: https://gruchalski.com/posts/2021-06-04-letsencrypt-certificates-for-local-development/

I'm sure you've used

localhost

throughout, but the documentation usually uses

127.0.0.1

and the quickstart uses that as a default. If not too much trouble it might be worth just switching your config to 127 just to check.

for localhost you could use caddy to reverse proxy and serve both on the same domain/port.

yes, that'll work, I'm using envoy myself with certificates sourced as described in the article, works like a charm without the dev mode, straight into production with istio

You may find this helpful: https://nip.io

So as it turns out, my particular problem was solved by setting the

withCredentials

option in the Kratos JavaScript SDK 😂 I assumed this option would be set by default as it's always required, but now it all works on local host

Glad it was just the setting, but very helpful resources in this thread 🙌 FWIW

ory tunnel

is something similar to the caddy solution built in the Ory CLI. I think it only works for Ory Network projects though.