question

KavithaRanga-0903 avatar image
0 Votes"
KavithaRanga-0903 asked alfredorevilla-msft commented

@azure/msal-react , @azure/msal-browser and getting HTTPOnly cookies

Hi, I am using @azure/msal-bowser version 2.23.0 and @azure/msal-react version 1.3.2 in a SPA React application. The session cookie used to identify authenticated users of the Web application does not contain the "HTTPOnly" attribute. How can I set the HTTPOnly flag on the cookies to pass my security testing?

My MSALConfig looks like below

export const msalConfig: Configuration = {
auth: {
clientId: "",
authority: "https://login.microsoftonline.com/
***",
redirectUri: "http://localhost:3000",
postLogoutRedirectUri: "http://localhost:3000"
},
cache: {
cacheLocation: "sessionStorage", // This configures where your cache will be stored
storeAuthStateInCookie: false,
}

};

197855-image.png



thanks,
kavitha

azure-ad-msal
image.png (50.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered alfredorevilla-msft commented

Hello @kavitharanga-0903, this is by design as the cookie(s) need to be accessed form Javascript.

Please let us know if you need additional assistance.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @alfredorevilla-msft , Is there any solution for this. How we can resolve?

0 Votes 0 ·

Thanks for getting back. However when we run Penetration testing, since these cookies do not have "HttpOnly" Flag set, it is flagged as a security vulnerability. Is there any way to set this explicitly if needed?

0 Votes 0 ·

Hello @thahirmohamedcognizant-0965, @kavitharanga-0903, these cookies are subject to change and cannot be set to HttpOnly since they need to be accessed from cliente code. Information stored in these cookies should not be a cause of concern thus you can create exceptions for them in your tests.

0 Votes 0 ·