Hello @Kavitha Ranga , this is by design as the cookie(s) need to be accessed form Javascript.
Please let us know if you need additional assistance.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi, I am using @azure/msal-bowser version 2.23.0 and @azure/msal-react version 1.3.2 in a SPA React application. The session cookie used to identify authenticated users of the Web application does not contain the "HTTPOnly" attribute. How can I set the HTTPOnly flag on the cookies to pass my security testing?
My MSALConfig looks like below
export const msalConfig: Configuration = {
auth: {
clientId: "*************************************",
authority: "https://login.microsoftonline.com/********************************",
redirectUri: "http://localhost:3000",
postLogoutRedirectUri: "http://localhost:3000"
},
cache: {
cacheLocation: "sessionStorage", // This configures where your cache will be stored
storeAuthStateInCookie: false,
}
};
thanks,
kavitha
Hello @Kavitha Ranga , this is by design as the cookie(s) need to be accessed form Javascript.
Please let us know if you need additional assistance.