Configuring cookies

By default, cookies sent by the Hydra Public endpoints are set without explicitly specifying a SameSite mode. If you wish for these cookies to be set with a mode you can use the serve.cookies.same_site_mode setting. Possible values are Strict, Lax or None.

If you wish to embed requests to hydra on a third party site (for example an iframe that periodically polls to check session status) you will need to set the mode to None.

Some browser versions reject cookies using the Same-Site=None attribute. Hydra implements a workaround that can be enabled by setting serve.cookies.same_site_legacy_workaround to true. This workaround is disabled by default, and only takes effect when serve.cookies.same_site_mode is set to None.