Skip to main content

Cookies Settings

This reference covers all of Pomerium's Cookies Settings:

Cookie Name sets the name of the session cookie sent to clients.

Config file keysEnvironment variablesTypeDefault
cookie_name: cookie_name

Cookie Secret is the secret used to encrypt and sign session cookies. If you don't provide a cookie secret, Pomerium will generate one for you.

Config file keysEnvironment variablesTypeUsage

Generate a random, base64-encoded key:

head -c32 /dev/urandom | base64

Add the value to your configuration:

cookie_secret: tdkuWzUelRukP/6VYzopfh6kis7y5u5Ldl3MrIq9ZR0=

Cookie Domain sets the scope of session cookies issued by Pomerium.

If you specify the domain explicitly, then subdomains would also be included.

Config file keysEnvironment variablesTypeUsageDefault
cookie_domainCOOKIE_DOMAINstringoptionalThe host that set the cookie

As of v0.25 the Cookie Secure setting is deprecated, and it will be removed in v0.26. Once removed, Pomerium will always set the Secure attribute on session cookies.

If true, Cookie Secure instructs browsers to only send user session cookies over HTTPS.


Setting this to false may result in session cookies being sent in clear text.


This setting cannot be set to false if Cookie SameSite is set to None.

Config file keysEnvironment variablesTypeDefault
cookie_secure: false

If true, Cookie HTTP Only forbids JavaScript from accessing the cookie.

Config file keysEnvironment variablesTypeDefault
cookie_http_only: false

Cookie Expiration sets the lifetime of session cookies. After this interval, users must reauthenticate.

Config file keysEnvironment variablesTypeDefault
cookie_expirationCOOKIE_EXPIRATIONstring (Go Duration formatting)14h
cookie_expiration: 13h15m0.5s

Cookie SameSite sets the SameSite option for cookies, which determines whether or not a cookie is sent with cross-site requests.

Config file keysEnvironment variablesTypeUsageDefaultOptions
cookie_same_siteCOOKIE_SAME_SITEstringoptional Lax (if unset)See Cookie SameSite Options
cookie_same_site: Lax

| Attribute | Value | | :-- | :-- | --- | | Lax | The cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link). | | Strict | The browser sends the cookie only for same-site requests, that is, requests originating from the same site that set the cookie. | | None | The browser sends the cookie with both cross-site and same-site requests. If you set SameSite=none, the HTTPS only setting must be set to true. | |

Cookie Secret File sets the path to the file containing a secret used to encrypt and sign session cookies.

Config file keysEnvironment variablesTypeUsage
cookie_secret_fileCOOKIE_SECRET_FILEstringrequired (for proxy service)

Generate a random, base64-encoded key:

head -c32 /dev/urandom | base64

Add the value to your configuration:

cookie_secret_file: '/run/secrets/POMERIUM_COOKIE_SECRET'

This is useful when deploying in environments that provide secret management like Docker Swarm.