Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,553 questions
Insecure Cookie Attributes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 6%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Ayush Prasad
0
Reputation points
We are using MS Entra ID as an IDP and @azure/msal-browser package in the vue application for authentication and login.
We observed below things during the security scan -
The path attribute set in the cookie is set to the web application root “/”.
Impact - When this attribute is not enabled, cookies can be accessed by malicious scripts in the browser. If the path attribute is set to the web server root "/", then the application cookies will be sent to every application within the same domain. It could leave the application vulnerable to attacks by other applications on the same server.
The SameSite attribute is set to ‘None’.
Impact - When this attribute is not enabled, cookies can be accessed by malicious scripts in the browser. If the path attribute is set to the web server root "/", then the application cookies will be sent to every application within the same domain. It could leave the application vulnerable to attacks by other applications on the same server.
Please confirm if above mentioned items are a valid security finding.
Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator2025-05-12T20:09:17.6366667+00:00 Hello @Ayush Prasad ,
The concerns you've raised regarding the cookie attributes are indeed valid security findings.
- Path Attribute: Setting the path attribute to the web application root "/" can expose cookies to other applications within the same domain. This could potentially allow malicious scripts from other applications to access these cookies, leading to security vulnerabilities.
- SameSite Attribute: Setting the SameSite attribute to 'None' means that the cookies can be sent in cross-site requests. This can also expose your application to Cross-Site Request Forgery (CSRF) attacks, as cookies will be accessible in third-party contexts.
Both of these configurations can lead to increased security risks, and it is advisable to review and adjust these settings to enhance the security of your application.
For additional Information you can follow: Handle SameSite cookie changes in Chrome browser , Configure the SameSite attribute for session cookies in Dataverse and Dynamics 365 , Cookie settings for accessing on-premises applications in Microsoft Entra ID
Hope this information helps. Let us know if you have any additional queries. Happy to assist you further.
-
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator
2025-05-13T21:37:07.1033333+00:00 Hello @Ayush Prasad ,
following upto see if the above response is helpful. Let us know if you have any additional queries. Happy to assist you further.
-
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator
2025-05-14T22:34:53.2466667+00:00 Hello @Ayush Prasad ,
following upto see if the above response is helpful. Let us know if you have any additional queries. Happy to assist you further.
Sign in to comment
Sign in to answer