This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 65%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
There's a security scanning program called DAST which scanned my applications and reported a vulnerability called "Insufficient Session ID Entropy". The vulnerability says that the value for 'MSISAuthenticated' and 'MSISLoopDetectionCookie' are predictable. These are session ID variables from adfs/ls endpoint.
The suggested fix is that the developers need to be certain that the session ID is properly generated by using a cryptographically secure pseudorandom number generator (PRNG).
I would like to know the steps on how I can modify the values for MSISAuthenticated and MSISLoopDetectionCookie session IDs.
Thank you for answering!
You can't modify them.
There is no entropy because these cookies are not used to authenticate a session nor keep confidential data. Those are just trackers really.
MSISAuthenticated is just a timestamp to help calculating session time at creation.
MSISLoopDetectionCookie is just a counter used to break an authentication loop in the event of a misconfiguration (instead of falling into an infinite loop, ADFS will just stop)
Modifying those cookies will not affect the level of security/session of a user. They are just helpers.
Oh okay, thanks! So just to confirm, these cookies cannot be configured/modified since these are base64 encoded timestamps and these are auto-generated by ADFS? Am I right?
Well the phrasing is odd. They can't be modified period. The fact they are encoded in base64 is irrelevant.
okay great, thanks for answering!