This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 49%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
Hi, I am using @azure/msal-bowser version 2.23.0 and @azure/msal-react version 1.3.2 in a SPA React application. The session cookie used to identify authenticated users of the Web application does not contain the "HTTPOnly" attribute. How can I set the HTTPOnly flag on the cookies to pass my security testing?
My MSALConfig looks like below
export const msalConfig: Configuration = {
auth: {
clientId: "*************************************",
authority: "https://login.microsoftonline.com/********************************",
redirectUri: "http://localhost:3000",
postLogoutRedirectUri: "http://localhost:3000"
},
cache: {
cacheLocation: "sessionStorage", // This configures where your cache will be stored
storeAuthStateInCookie: false,
}
};
thanks,
kavitha
Hello @Kavitha Ranga , this is by design as the cookie(s) need to be accessed form Javascript.
Please let us know if you need additional assistance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 38%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Hi @Alfredo Revilla - Senior Freelance SWE, SWA, IAM , Is there any solution for this. How we can resolve?
Thanks for getting back. However when we run Penetration testing, since these cookies do not have "HttpOnly" Flag set, it is flagged as a security vulnerability. Is there any way to set this explicitly if needed?
Hello @Thahir, Mohamed (Cognizant) , @Kavitha Ranga , these cookies are subject to change and cannot be set to HttpOnly since they need to be accessed from cliente code. Information stored in these cookies should not be a cause of concern thus you can create exceptions for them in your tests.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 57.99999999999999%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYN%3C/text%3E%3C/svg%3E)
Then how should the security vulnerabilities found by the security scans should be handled , please elaborate
Hello, as suggested you should allow them as expections.