Stop cookie replay attacks with IP binding


This content is archived and is not being updated. For the latest documentation, go to What is Microsoft Dataverse?. For the latest release plans, go to Dynamics 365 and Microsoft Power Platform release plans.

Enabled for Public preview General availability
Users by admins, makers, or analysts Aug 25, 2022 Jan 25, 2023

Business value

As an administrator, you'll be able to safeguard your Dataverse platform from cookie replay attacks coming from different computers or IP addresses.

Feature details

You can stop cookie replay attacks by binding the IP address of the computer with a cookie to block unauthorized access to Dataverse. You can apply this control when needed to help keep your organization secure. This vulnerability can only be exploited if the device is compromised or a man-in-the-middle attack happens, and the browser’s valid cookie is copied by a malicious user. This valid cookie can only be replayed until it expires.

For example, a user copies a valid browser cookie from one computer using publicly available tools and tries to replay the same cookie from a different computer using any publicly available tool. The cookie IP binding feature will evaluate the IP address of the cookie origin in real time and will prompt the user with a message if the IP address of the cookie origin is different than the IP address of request being made.

Screenshot of cookie IP binding.

Today, cookie binding with an IP address doesn't exist, but in 2022 release wave 2, administrators will be able to use cookie IP binding in the Power Platform admin center to block cookie replay attacks.

Screenshot of cookie replay attack settings.

See also

Announcing Public Preview of IP based cookie binding in Dataverse (blog)

Block cookie replay attacks in Dataverse (docs)