Cookies Settings
This reference covers all of Pomerium's Cookies Settings:
- Cookie Name
- Cookie Secret
- Cookie Domain
- Cookie Secure
- Cookie HTTP Only
- Cookie Expiration
- Cookie SameSite
- Cookie Secret File
Cookie Name
Cookie Name sets the name of the session cookie sent to clients.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Default |
---|---|---|---|
cookie_name | COOKIE_NAME | string | _pomerium |
Examples
cookie_name: cookie_name
COOKIE_NAME=cookie_name
cookie_name
is a bootstrap configuration setting and is not configurable in the Console.
Cookie Secret
Cookie Secret is the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Usage |
---|---|---|---|
cookie_secret | COOKIE_SECRET | string | optional |
Examples
Generate a random, base64-encoded key:
head -c32 /dev/urandom | base64
Add the value to your configuration:
cookie_secret: tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=
COOKIE_SECRET=tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=
cookie_secret
is a bootstrap configuration setting and is not configurable in the Console.
See Kubernetes bootstrap secrets for more information.
Cookie Domain
Cookie Domain sets the scope of session cookies issued by Pomerium.
If you specify the domain explicitly, then subdomains would also be included.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Usage | Default |
---|---|---|---|---|
cookie_domain | COOKIE_DOMAIN | string | optional | The host that set the cookie |
Examples
cookie_domain: localhost.pomerium.io
COOKIE_DOMAIN=localhost.pomerium.io
cookie_domain
is a bootstrap configuration setting and is not configurable in the Console.
Parameter name | Type | Usage | Default |
---|---|---|---|
cookie.domain | string | optional | The host that set the cookie |
Examples
cookie:
domain: localhost.pomerium.io
Cookie Secure
As of v0.25 the Cookie Secure setting is deprecated, and it will be removed in v0.26. Once removed, Pomerium will always set the Secure
attribute on session cookies.
If true, Cookie Secure instructs browsers to only send user session cookies over HTTPS.
Setting this to false
may result in session cookies being sent in clear text.
This setting cannot be set to false
if Cookie SameSite is set to None
.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Default |
---|---|---|---|
cookie_secure | COOKIE_SECURE | boolean | true |
Examples
cookie_secure: false
COOKIE_SECURE=false
As of v0.25, we've removed the Cookie Secure setting from the Enterprise Console (in the Console, this setting was called HTTPS only).
Cookie HTTP Only
If true, Cookie HTTP Only forbids JavaScript from accessing the cookie.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Default |
---|---|---|---|
cookie_http_only | COOKIE_HTTP_ONLY | boolean | true |
Examples
cookie_http_only: false
COOKIE_HTTP_ONLY=false
Configure Cookie HTTP Only with the Javascript Security toggle button in the Console. The button has three states:
- Unset ("-") uses the value in your configuration file
- Checkmark sets
cookie_http_only
totrue
- Empty sets
cookie_http_only
tofalse
Cookie Expiration
Cookie Expiration sets the lifetime of session cookies. After this interval, users must reauthenticate.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Default |
---|---|---|---|
cookie_expiration | COOKIE_EXPIRATION | string (Go Duration formatting) | 14h |
Examples
cookie_expiration: 13h15m0.5s
COOKIE_EXPIRATION=13h15m0.5s
Set Cookie Expiration in the Console:
Parameter name | Type | Default |
---|---|---|
cookie.expire | string (Go Duration formatting) | 14h |
Examples
cookie:
expire: 13h15m0.5s
Cookie SameSite
Cookie SameSite sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Usage | Default | Options |
---|---|---|---|---|---|
cookie_same_site | COOKIE_SAME_SITE | string | optional | Lax (if unset) | See Cookie SameSite Options |
Examples
cookie_same_site: Lax
COOKIE_SAME_SITE=Strict
Set the Cookie SameSite attribute in the Console:
See Cookie SameSite Options for more information.
Parameter name | Type | Usage | Default | Options |
---|---|---|---|---|
cookie.sameSite | string | optional | Lax (if unset) | See Cookie SameSite Options |
Examples
cookie:
sameSite: None
Cookie SameSite options
Attribute | Value |
---|---|
Lax | The cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link). |
Strict | The browser sends the cookie only for same-site requests, that is, requests originating from the same site that set the cookie. |
None | The browser sends the cookie with both cross-site and same-site requests. If you set SameSite=none , the HTTPS only setting must be set to true . |
Cookie Secret File
Cookie Secret File sets the path to the file containing a secret used to encrypt and sign session cookies.
How to configure
- Core
- Enterprise
- Kubernetes
Config file keys | Environment variables | Type | Usage |
---|---|---|---|
cookie_secret_file | COOKIE_SECRET_FILE | string | required (for proxy service) |
Examples
Generate a random, base64-encoded key:
head -c32 /dev/urandom | base64
Add the value to your configuration:
cookie_secret_file: '/run/secrets/POMERIUM_COOKIE_SECRET'
COOKIE_SECRET_FILE='/run/secrets/POMERIUM_COOKIE_SECRET'
This is useful when deploying in environments that provide secret management like Docker Swarm.
cookie_secret_file
is a bootstrap configuration setting and is not configurable in the Console.
See Kubernetes Secrets reference for more information.