This reference covers all of Pomerium's Cookies Settings:
- Cookie Name
- Cookie Secret
- Cookie Domain
- Cookie HTTP Only
- Cookie Expiration
- Cookie SameSite
- Cookie Secret File
Cookie Name
Cookie Name sets the name of the session cookie sent to clients.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Default |
|---|---|---|---|
cookie_name | COOKIE_NAME | string | _pomerium |
Examples
cookie_name: cookie_name
COOKIE_NAME=cookie_name
Cookie Secret
Cookie Secret is the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
cookie_secret | COOKIE_SECRET | string | optional |
Examples
Generate a random, base64-encoded key:
head -c32 /dev/urandom | base64
Add the value to your configuration:
cookie_secret: tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=
COOKIE_SECRET=tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=
Cookie Domain
Cookie Domain sets the scope of session cookies issued by Pomerium.
If you specify the domain explicitly, then subdomains would also be included.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage | Default |
|---|---|---|---|---|
cookie_domain | COOKIE_DOMAIN | string | optional | The host that set the cookie |
Examples
cookie_domain: localhost.pomerium.io
COOKIE_DOMAIN=localhost.pomerium.io
Cookie HTTP Only
If true, Cookie HTTP Only forbids JavaScript from accessing the cookie.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Default |
|---|---|---|---|
cookie_http_only | COOKIE_HTTP_ONLY | boolean | true |
Examples
cookie_http_only: false
COOKIE_HTTP_ONLY=false
Cookie Expiration
Cookie Expiration sets the lifetime of session cookies. After this interval, users must reauthenticate.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Default |
|---|---|---|---|
cookie_expire | COOKIE_EXPIRE | string (Go Duration formatting) | 14h |
Examples
cookie_expire: 13h15m0.5s
COOKIE_EXPIRE=13h15m0.5s
Cookie SameSite
Cookie SameSite sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage | Default | Options |
|---|---|---|---|---|---|
cookie_same_site | COOKIE_SAME_SITE | string | optional | Lax (if unset) | See Cookie SameSite Options |
Examples
cookie_same_site: Lax
COOKIE_SAME_SITE=Strict
Cookie SameSite options
| Attribute | Value || :-- | :-- | --- || Lax | The cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link). || Strict | The browser sends the cookie only for same-site requests, that is, requests originating from the same site that set the cookie. || None | The browser sends the cookie with both cross-site and same-site requests. If you set SameSite=none, the HTTPS only setting must be set to true. | |
Cookie Secret File
Cookie Secret File sets the path to the file containing a secret used to encrypt and sign session cookies.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
cookie_secret_file | COOKIE_SECRET_FILE | string | required (for proxy service) |
Examples
Generate a random, base64-encoded key:
head -c32 /dev/urandom | base64
Add the value to your configuration:
cookie_secret_file: '/run/secrets/POMERIUM_COOKIE_SECRET'
COOKIE_SECRET_FILE='/run/secrets/POMERIUM_COOKIE_SECRET'
This is useful when deploying in environments that provide secret management like Docker Swarm.
