web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Portal security cookie...
Power Pages
Answered

Portal security cookie settings and vulnerability

(0) ShareShare
ReportReport
Posted on by tacklers 150

A vulnerability has been flagged in our OOB vanilla portal by Qualys for the HTTPOnly attribute on the session cookie. 

The Microsoft Portals security documentation reads that the setting:

Authentication/ApplicationCookie/CookieHttpOnly

Determines whether the browser should allow the cookie to be accessed by client-side JavaScript. Default: true

I am guessing that the default was not accessible by the assessment scan so have added the authentication setting in the configuration and set as 'True'. A new scan has been requested I will see what it reports.

If the vulnerability is flagged again I need some action options. If I set it to 'false' will anything break?

We have no client side javascript and not planning any. Any suggestions please. Cheers, richard U.K

Microsoft Docs Cookie settings 

 

Categories:
Power Apps portals
I have the same question (0)
  • Prakash4691 Profile Picture
    Prakash4691 1,332 on at

    @Gatwick

     

    No it will not cause any issue.

     

    You can set it to false or else deactivate the record from site settings.

     

    If it answers your question, kindly give kudo and accept it as solution.

     

     

    Regards,

    Prakash

  • tacklers Profile Picture
    tacklers 150 on at

    Hi Prakash,

     

    Thanks for taking the trouble to reply. Happy to issue big Kudos if what you say is right.

     

    BUT right now I'm not sure. Do you know the reason it won't be an issue? Why does the option exist if it's irrelavent. I know I can delete it from site settings, that is where I set it up hoping the crawl would see it there as it may not be obvious if it is the default behavious.

     

    Cheers, Richard

  • Prakash4691 Profile Picture
    Prakash4691 1,332 on at

    @Gatwick 

     

    That option/setting w.r.t cookie will not come as OOB when we provision portal in power platform.

     

    It looks like it has manually created and also you have mentioned that there will not be any client side scripting available. That particular setting is to access cookie which is available in browser via client side scripting.

     

    I do not see any trouble by deactivating that record if it is of no use.

     

     

    Regards,

    Prakash

  • Verified answer
    tacklers Profile Picture
    tacklers 150 on at

    Hi Prakash, thanks for the follow up, as per my original problem I realise the record does not exist in the configuration OOB, but the default activity is 'true', so I set it up in the expectation that our assessment scanner can then see it. When set as 'true' I guess that client side java script is allowed to access the cookie? Cheers, Richard  

  • Verified answer
    Prakash4691 Profile Picture
    Prakash4691 1,332 on at

    @Gatwick ,

     

    Yes, if it is set to true javascript can able to access browser cookie.

     

     

    Regards,

    Prakash

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 78 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 75

#3
sannavajjala87 Profile Picture

sannavajjala87 31

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans