cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
michaelgappa1
Frequent Visitor

Power Apps wCookie Management - ASP.NET SessionsID

Does anyone know or can confirm if the Session ID lifetime on any Power Apps Website can be adjusted? I have found documentation that says its lifetime is session (expires after browser is closed), but I haven't found anywhere that it cannot be adjusted?

Cookies in Power Apps portals - Power Apps | Microsoft Learn

1 ACCEPTED SOLUTION

Accepted Solutions

@michaelgappa1 

 

Please make a note of the following:

 

Although I do not know the internal implementation here of Portals or Office 365, note that regardless of the client side lifetime of any cookie, if there are any server side validation checks on the age of the cookie from when it was first made by the server's perspective, then one or more such cookies where such validation is performed, after expired on the server side, can no longer be used to perform any further operations regardless of the client side age of the cookie.

 

Let's suppose it does what you want and the age of every cookie were exactly what you wanted. However suppose the server did not care when any cookie expired. Couldn't you just take any cookie you wanted, and just change the age of it with any client side tool before it expired, and then just wait, and then the server would consider even an expired cookie as valid now? 

 

Actually, if a cookie's validation were modified on the client side to be longer, and the server still discarded it when it was actually past its real expiration date validated on the server, wouldn't it be a sign that the server was doing a better job in that case not relying just on the client side cookie's timestamps?

 

So I think reliance on just what the client side tells you of the cookie as a sign of the security strength of a system is not wise. A sign of a vulnerability may very well be the opposite of what you have noted. If all the cookies have all the right dates on your side, but never validates on the server, that's actually a real vulnerability, because you could just change when the cookies expire and that's all it would take to trigger a system vulnerability, right?

 

Out of curiosity, I would like to know where did you find out that the expiration date of a cookie alone taking into account no other factors, or the fact that a cookie persists for a whole browser session, alone and taking into account no other factors is a sign of any vulnerability. 

 

I don't know the internal implementation but I don't think you have much to worry about here.

If you are still concerned you can try to make a support ticket here:

Create a new Power Platform Support Ticket

However, I am not sure what you would put there because I didn't see any problem here in what you described.

 

View solution in original post

11 REPLIES 11
poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

I believe the timeout for when someone is about to be signed out of Microsoft 365 (which I believe includes Power Apps and anything else they're logged into related to Microsoft 365) can be adjusted. See if below helps you:
Idle session timeout for Microsoft 365

 

I am not sure if this setting affects the sign out timeout of the Power Apps web application - you can try it to see.

I am also not 100% sure if there is a way to adjust the sign out timeout of only Power Apps in particular and nothing else.

michaelgappa1
Frequent Visitor

Thanks, I should have been clearer about what exactly I'm trying to do, sorry about that.

We're using Dynamics Online and we have a power apps portal we use publicly. When someone visits the portal, the cookie generated has an expiration of Session. I attached the image with the highlighted cookie for the particular website.

When I visit the website, it generates the cookie and only expires when you close the browser. That was highlighted as a security vulnerability, and they insisted on changing the lifetime on the cookie. Since its online, I'm assuming there's no way to change that, unless I'm mistaken.

@michaelgappa1 I think it is still possible, I might reply in a moment with how you can do it

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

1. Go to yourorg.crm.dynamics.com

2. On upper right notice the settings gear. Click it

3. Click Advanced Settings

poweractivate_0-1670522052486.png

 

4. Now click on the chevron to the right of Settings

poweractivate_0-1670521716903.png

5. Under System click Administration

poweractivate_1-1670521748841.png

6. Click System Settings

poweractivate_2-1670521788483.png

7. Scroll down to Set Session timeout and Set inactivity timeout and configure as desired.

For example click "Set custom" under Session timeout settings

poweractivate_3-1670521876358.png

8 .Configure the maximum session length and timeout warning values.

When done, click OK

poweractivate_4-1670521963310.png

 

See if it helps @michaelgappa1 

 

 

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

If you mean the Portal only try this:

 

Create two site settings in your Portal:

 

Name : Authentication/ApplicationCookie/ExpireTimeSpan
Value : Idle time in the format is in HH:MM:SS. For example, 30 seconds would be 00:00:30
Description: Idle time of the Portal

 

Name : Authentication/ApplicationCookie/LoginPath
Value : /SignIn
Description: This is where the user will be redirected to after the session timeout. You can, for example, create your own custom web page at this location also and then display a custom message for the session timeout on that page.

 

Does it help @michaelgappa1 ?

michaelgappa1
Frequent Visitor

Thanks, I tried this, but it looks like the ASP.NET SessionId still remains before and after user session. It's only when I close the entire browser session and revisit the portal does it change. 

@michaelgappa1 

 

Did it change though after you put those Portal settings and does it match the settings you put in?

 

If it did, I am not sure it is possible to apply them instantly, it may be only supported after you close the entire browser session and revisit the portal. If there was indeed some difference after the setting, after you close the entire browser session and revisit the portal, that means it may have worked.

 

Do you want me to check on if you need detail on how to destroy or invalidate all the Portal sessions if that may be something you need?

michaelgappa1
Frequent Visitor

After setting it to 30 seconds, I cleared by browser's cookies and closed the entire browser session. Then I visited the portal and confirmed the ASP.NET SessionID. Once I logged into the Portal, I confirmed it's the same SessionId prior to login. After 30 seconds, I attempted to navigate to another page and I see it logged me out, but the SessionId remains the same. 

As far as the portal sessions, that may be what I need to do. I did some research on ASP.NET_Session_ID and it seems if it's an ASP.NET application you developed using the framework (and not through Power Apps) you can add the script to your app to clear the session. I didn't think you can do that with Power App Portals. 

how to remove SessionID (microsoft.com)

@michaelgappa1 What happens when you try both ways, the System Settings and the Portal Settings, and you can try slightly different times as well so you could tell which timeout triggers in which case. Does it help?

 

Note that even if any specific cookie remains valid, whether it's the Office 365 one or the Portals one, there may be more than one cookie involved. If the correct cookies are invalidated and have the correct expiration, that session cookie is of no use anymore and cannot be used to perform any more operations against Office 365 services. If either or both methods cause the timeout to really work, any presence of any other cookies does not matter as I believe they cannot be used to make any further operations against any authenticated user.

 

Please clarify if you are more worried about the Office 365 services as a whole and how it handles cookies, or just your Power Apps portal in particular. I believe what I said applies to both, however you could continue to test and if you found any vulnerability or issue please give more detail in a reply which operation can still be performed against an authenticated user after the configured timeout was reached.

 

See if it helps @michaelgappa1 

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!   This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions in the Forums to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersNumber of SolutionsSuper UsersNumber of Solutions @anandm08  23 @WarrenBelz  31 @DBO_DV  10 @Amik  19 AmínAA 6 @mmbr1606  12 @rzuber  4 @happyume  7 @Giraldoj  3@ANB 6 (tie)   @SpongYe  6 (tie)     Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersSolutionsSuper UsersSolutions @anandm08  10@WarrenBelz 25 @DBO_DV  6@mmbr1606 14 @AmínAA 4 @Amik  12 @royg  3 @ANB  10 @AllanDeCastro  2 @SunilPashikanti  5 @Michaelfp  2 @FLMike  5 @eduardo_izzo  2   Meekou 2   @rzuber  2   @Velegandla  2     @PowerPlatform-P  2   @Micaiah  2     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 3:Community MembersSolutionsSuper UsersSolutionsPower Apps anandm0861WarrenBelz86DBO_DV25Amik66Michaelfp13mmbr160647Giraldoj13FLMike31AmínAA13SpongYe27     Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 4:Community MembersSolutionsSuper UsersSolutionsPower Apps DBO-DV21WarranBelz26Giraldoj7mmbr160618Muzammmil_0695067Amik14samfawzi_acml6FLMike12tzuber6ANB8   SunilPashikanti8

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (1,897)