Cookies not persisting

Users complete a login flow successfully (no error), but on the next page request they're prompted to log in again. The session cookie isn't surviving.

Most common causes

The cookie is set with Domain=ciam.example.com but the page is on app.example.com, browser doesn't send the cookie.

Check in DevTools → Application → Cookies. Look at the cookie's domain. Match against the current page domain.

Fix: configure Kratos's cookie domain to a parent that covers both, see Troubleshooting, Login loops.

Cookie set with SameSite=Strict isn't sent on any cross-site navigation, including legitimate OAuth2 redirects.

Fix: use SameSite=Lax. This is Olympus's default.

Cookie set with Secure over HTTPS won't be sent on HTTP. If your local dev mixes protocols, the cookie disappears.

Fix: HTTPS everywhere. In dev, use Caddy's self-signed cert via localhost.olympus.app.

Browser privacy settings

Safari Intelligent Tracking Prevention (ITP), blocks cookies set on a domain the user hasn't directly visited.
Firefox Enhanced Tracking Protection (ETP), similar.
Cookie blocking, third-party cookies disabled outright.

Fix: ensure your auth and app domains are on the same registered domain (first-party).

Clock skew

If the cookie's expires is in the past (because clocks are off), the browser discards immediately.

Check both server and client clocks: date -u should differ by under 5 seconds.

If your cookie exceeds 4KB, some browsers truncate or drop it. Kratos session cookies are small (~1KB).

But if you have many cookies on a domain (your app sets dozens), browser-imposed total cookie quota per domain (~50-100 cookies, depending on browser) may evict yours.

Two services set the same cookie name with different paths/domains. The browser follows path-matching rules; you may be seeing the wrong one win.

In DevTools, expand the cookie row to see all instances. If multiple, fix names to be unique.

Diagnostic procedure

Open DevTools → Network → preserve log. Reproduce the failing flow.
Find the Set-Cookie header in the response that authenticates the user. Note: Domain, Path, SameSite, Secure, HttpOnly, Expires.
Find the next request that should send the cookie. Look at the request's Cookie header. Is the auth cookie there? If not, why? Compare domain, scheme, path.

Olympus-specific gotchas

Cross-domain CIAM ↔ IAM: cookies set on ciam.example.com never travel to iam.example.com. This is intentional (see CIAM/IAM isolation) but operators sometimes assume the parent domain bridges. Set the cookie domain explicitly per-side.
Hera and Athena on the same domain: in dev, Hera CIAM (:3000) and Athena CIAM (:3001) share localhost. Cookies on localhost are visible to all ports, generally fine but watch for path conflicts.