Skip to main content

Cookies Settings

This reference covers all of Pomerium's Cookies Settings:

Cookie Name sets the name of the session cookie sent to clients.

Config file keysEnvironment variablesTypeDefault
cookie_nameCOOKIE_NAMEstring_pomerium
# config file key
cookie_name: cookie_name

# environment variable
COOKIE_NAME=cookie_name

# ingress
cookie.name: cookie_name

Cookie Secret is the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you.

Config file keysEnvironment variablesTypeUsage
cookie_secretCOOKIE_SECRETstringoptional

Generate a random, base64-encoded key:

head -c32 /dev/urandom | base64

Add the value to your configuration:

cookie_secret: tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=

COOKIE_SECRET=tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=

Cookie Domain sets the scope of session cookies issued by Pomerium.

If you specify the domain explicitly, then subdomains would also be included.

Config file keysEnvironment variablesTypeUsageDefault
cookie_domainCOOKIE_DOMAINstringoptionalThe host that set the cookie
# config file key
cookie_domain: localhost.pomerium.io

# environment variable
COOKIE_DOMAIN=localhost.pomerium.io

# ingress
cookie.domain: localhost.pomerium.io

If true, Cookie Secure instructs browsers to only send user session cookies over HTTPS.

danger

Setting this to false may result in session cookies being sent in clear text.

Note: this cannot be set to false if Cookie SameSite is set to None.

Config file keysEnvironment variablesTypeDefault
cookie_secureCOOKIE_SECUREbooleantrue
# config file key
cookie_secure: false

# environment variable
COOKIE_SECURE=false

# ingress
cookie.secure: false

If true, Cookie HTTP Only forbids JavaScript from accessing the cookie.

Config file keysEnvironment variablesTypeDefault
cookie_http_onlyCOOKIE_HTTP_ONLYbooleantrue
# config file key
cookie_http_only: false

# environment variable
COOKIE_HTTP_ONLY=false

# ingress
cookie.httpOnly: false

Cookie Expiration sets the lifetime of session cookies. After this interval, users must reauthenticate.

Config file keysEnvironment variablesTypeDefault
cookie_expirationCOOKIE_EXPIRATIONstring (Go Duration formatting)14h
# config file key
cookie_expiration: 13h15m0.5s

# environment variable
COOKIE_EXPIRATION=13h15m0.5s

# ingress
cookie.expiration: 13h15m0.5s

Cookie SameSite sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests.

Config file keysEnvironment variablesTypeUsageDefaultOptions
cookie_same_siteCOOKIE_SAME_SITEstringoptional Lax (if unset)See Cookie SameSite Options
AttributeValue
LaxThe cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link).
StrictThe browser sends the cookie only for same-site requests, that is, requests originating from the same site that set the cookie.
NoneThe browser sends the cookie with both cross-site and same-site requests. If you set SameSite=none, the HTTPS only setting must be set to true.
# config file key
cookie_same_site: Lax

# environment variable
COOKIE_SAME_SITE=Strict

# ingress
cookie.sameSite: None

Cookie Secret File sets the path to the file containing a secret used to encrypt and sign session cookies.

Config file keysEnvironment variablesTypeUsage
cookie_secret_fileCOOKIE_SECRET_FILEstringrequired (for proxy service)

Generate a random, base64-encoded key:

head -c32 /dev/urandom | base64

Add the value to your configuration:

cookie_secret_file: '/run/secrets/POMERIUM_COOKIE_SECRET'

COOKIE_SECRET_FILE='/run/secrets/POMERIUM_COOKIE_SECRET'

This is useful when deploying in environments that provide secret management like Docker Swarm.