Safeguarding Dataverse sessions with IP cookie binding
Article
Note
The new and improved Power Platform admin center is now in public preview! We designed the new admin center to be easier to use, with task-oriented navigation that helps you achieve specific outcomes faster. We'll be publishing new and updated documentation as the new Power Platform admin center moves to general availability.
Prevent session hijacking exploits in Dataverse with IP address-based cookie binding. Let's say that a malicious user copies a valid session cookie from an authorized computer that has cookie IP binding enabled. The user then tries to use the cookie on a different computer to gain unauthorized access to Dataverse. In real time, Dataverse compares the IP address of the cookie's origin against the IP address of the computer making the request. If the two are different, the attempt is blocked, and an error message is shown.
Select Environments, and then select an environment.
Select Settings > Product > Privacy + Security.
Under IP address settings, select the Enable IP address-based cookie binding option.
(Optional): If your organization has reverse proxies configured, enter the IP addresses separated by commas in the Reverse proxy IP addresses field. The reverse proxy setting applies to both IP-based cookie binding and the IP firewall. Reach out to your network administrator to get the reverse proxy IP addresses.
Note
Reverse proxy must be configured to send user client IP addresses in the forwarded header.
Select Save.
How cookie binding uses your IP address to work
IP-based cookie binding sets the IP address claim in the session cookie. Each request is evaluated to compare the current IP address with the source IP address that was stored in the cookie when it was created. If the addresses don't match, the user is denied access.
Scenarios in which users are asked to reauthenticate
When any VPN client is turned on or off
When connecting to a wireless hotspot
When the Internet connection is reset by the Internet service provider
When a router is reset or restarted
How to test the feature
Clear all the cookies from the browser. This step is important to ensure that a new cookie is generated.
Sign in to a Dynamics 365 environment that has IP-based cooking binding enabled.
Use a client tool such as Fiddler to copy the session cookie.
Submit a request from an alternate computer (outside of the original network) using the previously obtained session cookie. You should expect to receive an HTTP 403 error in response.
Exclusions
If the user connects to Dataverse from the same IP address with the old, valid cookie, Dataverse accepts the cookie.
If the traffic between your network and Power Platform is configured to use reverse proxy having dynamic IP address, IP-based cookie binding won't work.
FAQ
Is this feature available in Dataverse?
Cookie IP binding is available for the CrmOwinAuth cookie in Unified Interface.
How soon does the change take effect once it's made in the Power Platform admin center?
The change typically takes effect in about five minutes.
Does this feature work in real time?
The feature evaluates the cookie in real time, except for the initial request that's made after the feature is enabled.
Is this feature enabled by default in all environments?
The cookie IP binding feature is disabled by default. Administrators must enable it in the Power Platform admin center.
Do you need to manage user access rights? In this learning path, you will learn how to manage permissions associated with environments and entities. You will also learn about different administrative portals and how to access each.