---
id: multi-domain-cookies
title: Advanced base URL, CSRF and session cookie settings
sidebar_label: Advanced cookie settings
---

This document describes advanced strategies for multi-domain environments and other scenarios.

## Base URL

The public base URL (`serve.public.base_url`) is used to compute redirect URLs, form action URLs, and more.

## Cookies

Ory Kratos' browser features rely heavily on HTTP Cookies to mitigate common attack vectors and make the integration as easy as
possible to use. Therefore it is important to know that

1. [HTTP Cookies ignore ports](https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific), meaning the browser
   will send a cookie it received for `http://my-domain.com:1234` to `http://my-domain.com:4321` as well.
2. [Subdomains can set HTTP Cookies for parent domains](https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain),
   meaning a HTTP Cookie specifying `domain=my-domain.com` will be allowed to set even if the URL is `http://sub.my-domain.com` or
   `http://sub.sub.my-domain.com`.

You can adjust the session cookie's domain using:

```yaml title="path/to/kratos/config.yml""
# Settings for both anti-CSRF and session cookies
cookies:
  domain: www.cookies.com
  path: /cookies
  same_site: Lax

session:
  cookie:
    # Overrides cookies.domain for session cookies
    domain: my-domain.com

    # Overrides cookies.path for session cookies
    path: /

    # Overrides cookies.samesite for session cookies
    same_site: Strict
```

Seting up Ory Kratos in a way where you get session cookies running on two separate top level domains (for example `my-domain.com`
and `another-domain.com`) is supported only on Ory Network or Ory Kratos Enterprise through the
[Multibrand](../../kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains) feature.