How can I modify the values for MSISAuthenticated and MSISLoopDetectionCookie?

nabi04 56 Reputation points
2021-02-03T13:20:59.35+00:00

There's a security scanning program called DAST which scanned my applications and reported a vulnerability called "Insufficient Session ID Entropy". The vulnerability says that the value for 'MSISAuthenticated' and 'MSISLoopDetectionCookie' are predictable. These are session ID variables from adfs/ls endpoint.

The suggested fix is that the developers need to be certain that the session ID is properly generated by using a cryptographically secure pseudorandom number generator (PRNG).

I would like to know the steps on how I can modify the values for MSISAuthenticated and MSISLoopDetectionCookie session IDs.
Thank you for answering!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,209 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-02-03T14:32:51.873+00:00

    You can't modify them.
    There is no entropy because these cookies are not used to authenticate a session nor keep confidential data. Those are just trackers really.
    MSISAuthenticated is just a timestamp to help calculating session time at creation.
    MSISLoopDetectionCookie is just a counter used to break an authentication loop in the event of a misconfiguration (instead of falling into an infinite loop, ADFS will just stop)

    Modifying those cookies will not affect the level of security/session of a user. They are just helpers.


0 additional answers

Sort by: Most helpful