CSRF troubleshooting
For general CRSF troubleshooting visit the CSRF troubleshooting.
This document contains troubleshooting advice regarding CRSF and cookie errors specific to self-hosted Ory Identities Kratos.
Common issues
SameSite attribute
If you run Ory Kratos in --dev mode, it disables SameSite=Lax as Google
Chrome rejects all cookies that have SameSite=Lax but have secure set to
false. If you require SameSite=Lax, you need to run Ory Kratos with HTTPS
and not use the --dev flag.
Running over HTTP without --dev mode
Ory Kratos' cookies have the Secure flag enabled by default. This means that
the browser won't send the cookie unless the URL is a HTTPS URL. If you want Ory
Kratos to work with HTTP (for example on localhost) you can add the --dev
flag: kratos serve --dev.
Don't do this in production!
Running on separate (sub)domains
Cookies work best on the same domain. While it's possible to get cookies running on subdomains it isn't possible to do that across Top Level Domains (TLDs).
Make sure that your application (for example the Quickstart self service app )
and Ory Kratos Public API are available on the same domain - preferably without
subdomains. Hosting both systems and routing paths with a Reverse Proxy such as
Nginx or Envoy or AWS API Gateway is the best solution. For example, routing
https://my-website/kratos/... to Ory Kratos and https://my-website/dashboard
to the SecureApp's Dashboard. Alternatively you can use piping in your app as we
do in the Quickstart guide.
We don't recommend running them on separate subdomains, such as
https://kratos.my-website/ and https://secureapp.my-website/.
To allow cookies to work across subdomains, make sure to set the domain name in
the Kratos config file under
session.cookie.domain.
Running the apps on different domains won't work at all, such as
https://kratos-my-website/ and https://secureapp-my-website/.
Running the services on different ports is ok, if the domain stays the same.
Mixing up 127.0.0.1 and localhost
Make sure that the domain stays the same. This is also true for 127.0.0.1 and
localhost which are both separate domains. Make sure that you use 127.0.0.1
or localhost consistently across your configuration!
