46,185 questions
Hello @Kavitha Ranga , this is by design as the cookie(s) need to be accessed form Javascript.
Please let us know if you need additional assistance.
@azure/msal-react , @azure/msal-browser and getting HTTPOnly cookies
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 49%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
Kavitha Ranga
1
Reputation point
Hi, I am using @azure/msal-bowser version 2.23.0 and @azure/msal-react version 1.3.2 in a SPA React application. The session cookie used to identify authenticated users of the Web application does not contain the "HTTPOnly" attribute. How can I set the HTTPOnly flag on the cookies to pass my security testing?
My MSALConfig looks like below
export const msalConfig: Configuration = {
auth: {
clientId: "*************************************",
authority: "https://login.microsoftonline.com/********************************",
redirectUri: "http://localhost:3000",
postLogoutRedirectUri: "http://localhost:3000"
},
cache: {
cacheLocation: "sessionStorage", // This configures where your cache will be stored
storeAuthStateInCookie: false,
}
};
thanks,
kavitha
Community Center | Not monitored
1 answer
Sort by: Most helpful
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator2022-04-30T00:19:51.79+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 38%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Thahir, Mohamed (Cognizant) 1 Reputation point2022-05-11T07:02:18.983+00:00 Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , Is there any solution for this. How we can resolve?
-
Kavitha Ranga 1 Reputation point
2022-05-11T13:03:03.407+00:00 Thanks for getting back. However when we run Penetration testing, since these cookies do not have "HttpOnly" Flag set, it is flagged as a security vulnerability. Is there any way to set this explicitly if needed?
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
2022-05-11T20:42:31.973+00:00 Hello @Thahir, Mohamed (Cognizant) , @Kavitha Ranga , these cookies are subject to change and cannot be set to HttpOnly since they need to be accessed from cliente code. Information stored in these cookies should not be a cause of concern thus you can create exceptions for them in your tests.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 57.99999999999999%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYN%3C/text%3E%3C/svg%3E)
Yadav, Nirmala 0 Reputation points2023-04-12T11:05:34.2166667+00:00 Then how should the security vulnerabilities found by the security scans should be handled , please elaborate
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
2023-04-12T15:51:10.0833333+00:00 Hello, as suggested you should allow them as expections.
Sign in to comment -