@azure/msal-react , @azure/msal-browser and getting HTTPOnly cookies

Kavitha Ranga 1 Reputation point

Hi, I am using @azure/msal-bowser version 2.23.0 and @azure/msal-react version 1.3.2 in a SPA React application. The session cookie used to identify authenticated users of the Web application does not contain the "HTTPOnly" attribute. How can I set the HTTPOnly flag on the cookies to pass my security testing?

My MSALConfig looks like below

export const msalConfig: Configuration = {
auth: {
clientId: "*************************************",
authority: "https://login.microsoftonline.com/********************************",
redirectUri: "http://localhost:3000",
postLogoutRedirectUri: "http://localhost:3000"
cache: {
cacheLocation: "sessionStorage", // This configures where your cache will be stored
storeAuthStateInCookie: false,




Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,671 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2022-04-30T00:19:51.79+00:00

    Hello @Kavitha Ranga , this is by design as the cookie(s) need to be accessed form Javascript.

    Please let us know if you need additional assistance.