cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
michaelgappa1
Frequent Visitor

Power Apps wCookie Management - ASP.NET SessionsID

Does anyone know or can confirm if the Session ID lifetime on any Power Apps Website can be adjusted? I have found documentation that says its lifetime is session (expires after browser is closed), but I haven't found anywhere that it cannot be adjusted?

Cookies in Power Apps portals - Power Apps | Microsoft Learn

1 ACCEPTED SOLUTION

Accepted Solutions

@michaelgappa1 

 

Please make a note of the following:

 

Although I do not know the internal implementation here of Portals or Office 365, note that regardless of the client side lifetime of any cookie, if there are any server side validation checks on the age of the cookie from when it was first made by the server's perspective, then one or more such cookies where such validation is performed, after expired on the server side, can no longer be used to perform any further operations regardless of the client side age of the cookie.

 

Let's suppose it does what you want and the age of every cookie were exactly what you wanted. However suppose the server did not care when any cookie expired. Couldn't you just take any cookie you wanted, and just change the age of it with any client side tool before it expired, and then just wait, and then the server would consider even an expired cookie as valid now? 

 

Actually, if a cookie's validation were modified on the client side to be longer, and the server still discarded it when it was actually past its real expiration date validated on the server, wouldn't it be a sign that the server was doing a better job in that case not relying just on the client side cookie's timestamps?

 

So I think reliance on just what the client side tells you of the cookie as a sign of the security strength of a system is not wise. A sign of a vulnerability may very well be the opposite of what you have noted. If all the cookies have all the right dates on your side, but never validates on the server, that's actually a real vulnerability, because you could just change when the cookies expire and that's all it would take to trigger a system vulnerability, right?

 

Out of curiosity, I would like to know where did you find out that the expiration date of a cookie alone taking into account no other factors, or the fact that a cookie persists for a whole browser session, alone and taking into account no other factors is a sign of any vulnerability. 

 

I don't know the internal implementation but I don't think you have much to worry about here.

If you are still concerned you can try to make a support ticket here:

Create a new Power Platform Support Ticket

However, I am not sure what you would put there because I didn't see any problem here in what you described.

 

View solution in original post

11 REPLIES 11
poweractivate
Super User
Super User

@michaelgappa1 

 

I believe the timeout for when someone is about to be signed out of Microsoft 365 (which I believe includes Power Apps and anything else they're logged into related to Microsoft 365) can be adjusted. See if below helps you:
Idle session timeout for Microsoft 365

 

I am not sure if this setting affects the sign out timeout of the Power Apps web application - you can try it to see.

I am also not 100% sure if there is a way to adjust the sign out timeout of only Power Apps in particular and nothing else.

michaelgappa1
Frequent Visitor

Thanks, I should have been clearer about what exactly I'm trying to do, sorry about that.

We're using Dynamics Online and we have a power apps portal we use publicly. When someone visits the portal, the cookie generated has an expiration of Session. I attached the image with the highlighted cookie for the particular website.

When I visit the website, it generates the cookie and only expires when you close the browser. That was highlighted as a security vulnerability, and they insisted on changing the lifetime on the cookie. Since its online, I'm assuming there's no way to change that, unless I'm mistaken.

@michaelgappa1 I think it is still possible, I might reply in a moment with how you can do it

poweractivate
Super User
Super User

@michaelgappa1 

 

1. Go to yourorg.crm.dynamics.com

2. On upper right notice the settings gear. Click it

3. Click Advanced Settings

poweractivate_0-1670522052486.png

 

4. Now click on the chevron to the right of Settings

poweractivate_0-1670521716903.png

5. Under System click Administration

poweractivate_1-1670521748841.png

6. Click System Settings

poweractivate_2-1670521788483.png

7. Scroll down to Set Session timeout and Set inactivity timeout and configure as desired.

For example click "Set custom" under Session timeout settings

poweractivate_3-1670521876358.png

8 .Configure the maximum session length and timeout warning values.

When done, click OK

poweractivate_4-1670521963310.png

 

See if it helps @michaelgappa1 

 

 

poweractivate
Super User
Super User

@michaelgappa1 

 

If you mean the Portal only try this:

 

Create two site settings in your Portal:

 

Name : Authentication/ApplicationCookie/ExpireTimeSpan
Value : Idle time in the format is in HH:MM:SS. For example, 30 seconds would be 00:00:30
Description: Idle time of the Portal

 

Name : Authentication/ApplicationCookie/LoginPath
Value : /SignIn
Description: This is where the user will be redirected to after the session timeout. You can, for example, create your own custom web page at this location also and then display a custom message for the session timeout on that page.

 

Does it help @michaelgappa1 ?

michaelgappa1
Frequent Visitor

Thanks, I tried this, but it looks like the ASP.NET SessionId still remains before and after user session. It's only when I close the entire browser session and revisit the portal does it change. 

@michaelgappa1 

 

Did it change though after you put those Portal settings and does it match the settings you put in?

 

If it did, I am not sure it is possible to apply them instantly, it may be only supported after you close the entire browser session and revisit the portal. If there was indeed some difference after the setting, after you close the entire browser session and revisit the portal, that means it may have worked.

 

Do you want me to check on if you need detail on how to destroy or invalidate all the Portal sessions if that may be something you need?

michaelgappa1
Frequent Visitor

After setting it to 30 seconds, I cleared by browser's cookies and closed the entire browser session. Then I visited the portal and confirmed the ASP.NET SessionID. Once I logged into the Portal, I confirmed it's the same SessionId prior to login. After 30 seconds, I attempted to navigate to another page and I see it logged me out, but the SessionId remains the same. 

As far as the portal sessions, that may be what I need to do. I did some research on ASP.NET_Session_ID and it seems if it's an ASP.NET application you developed using the framework (and not through Power Apps) you can add the script to your app to clear the session. I didn't think you can do that with Power App Portals. 

how to remove SessionID (microsoft.com)

@michaelgappa1 What happens when you try both ways, the System Settings and the Portal Settings, and you can try slightly different times as well so you could tell which timeout triggers in which case. Does it help?

 

Note that even if any specific cookie remains valid, whether it's the Office 365 one or the Portals one, there may be more than one cookie involved. If the correct cookies are invalidated and have the correct expiration, that session cookie is of no use anymore and cannot be used to perform any more operations against Office 365 services. If either or both methods cause the timeout to really work, any presence of any other cookies does not matter as I believe they cannot be used to make any further operations against any authenticated user.

 

Please clarify if you are more worried about the Office 365 services as a whole and how it handles cookies, or just your Power Apps portal in particular. I believe what I said applies to both, however you could continue to test and if you found any vulnerability or issue please give more detail in a reply which operation can still be performed against an authenticated user after the configured timeout was reached.

 

See if it helps @michaelgappa1 

Helpful resources

Announcements

It's #MPPC23 Week! Check Out the Community Sessions and Events Happening in Vegas

After all the planning and preparing, the annual Microsoft Power Platform Conference is finally here! We are excited to see so many of our community in Las Vegas this week. To help make sure you don't miss any of the workshops, sessions, and events we have planned, make sure to check out this handy Community One-Sheet, and download the pdf today! Make sure to stop by the Community Lounge to meet @hugobernier, @EricArcher, @heaher_italent, and @AshleyFelts from our team! See you in Vegas!    

Join Us for the First-Ever Biz Apps Community User Group Meeting: Live from MPPC23

  Join us for the first-ever the Biz Apps Community User Group meeting live from the Power Platform Conference! This one hour user group meeting is all about discovering the value and benefits of User Groups! Discover how you can find a group in your local area or about specific topics where you can learn new skills and meet like-minded people as a user group member.   Hear from User Group leaders about why they do what they do and what resources they receive to help them succeed as community ambassadors. If you have never attended a User Group meeting before, this will be a great introduction! We hope you are inspired to find a group that meets your unique interests!   October 5th at 2:15 pm Pacific time   If you're attending #MPPC23 in Las Vegas, join us in person! Find out more here: https://powerplatformconf.com/#!/session/Biz%20Apps%20Community%20User%20Group%20Meeting%20-%20Live%20from%20MPPC/6172   Not at MPPC23? Attend vvirtually by registering here: https://aka.ms/MPPCusergroupmeeting2023    If you can't attend this meeting live, don't worry! We will record this meeting and share it with the Community at powerusers.microsoft.com 

Back to Basics: Tuesday Tip #1: All About YOUR Community Account

We are excited to kick off our new #TuesdayTIps series, "Back to Basics." This weekly series is our way of helping the amazing members of our community--both new members and seasoned veterans--learn and grow in how to best engage in the community! Each Tuesday, we will feature new areas of content that will help you best understand the community--from ranking and badges to profile avatars, from Super Users to blogging in the community. Our hope is that this information will help each of our community members grow in their experience with Power Platform, with the community, and with each other!     This Week's Tips: Account Support: Changing Passwords, Changing Email Addresses or Usernames, "Need Admin Approval," Etc.Wondering how to get support for your community account? Check out the details on these common questions and more. Just follow the link below for articles that explain it all.Community Account Support - Power Platform Community (microsoft.com)   All About GDPR: How It Affects Closing Your Community Account (And Why You Should Think Twice Before You Do)GDPR, the General Data Protection Regulation (GDPR), took effect May 25th 2018. A European privacy law, GDPR imposes new rules on companies and other organizations offering goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. GDPR applies no matter where you are located, and it affects what happens when you decide to close your account. Read the details here:All About GDPR - Power Platform Community (microsoft.com)   Getting to Know You: Setting Up Your Community Profile, Customizing Your Profile, and More.Your community profile helps other members of the community get to know you as you begin to engage and interact. Your profile is a mirror of your activity in the community. Find out how to set it up, change your avatar, adjust your time zone, and more. Click on the link below to find out how:Community Profile, Time Zone, Picture (Avatar) & D... - Power Platform Community (microsoft.com)   That's it for this week. Tune in for more Tuesday Tips next Tuesday and join the community as we get "Back to Basics."

Power Platform Community Newsletter: September 2023

Welcome to our September 2023 Newsletter, where we highlight the latest news, product releases, podcasts, upcoming events, and the great work of our Power Platform Community members. As usual, please make sure you follow our News & Announcements in the Community to stay up to date. Another great way to connect is to join our Power Platform Community on LinkedIn. You can join our LInkedIn community here.   MPPC's Got Power - Submissions end September 28th! Are you ready to showcase your skills at the Microsoft Power Platform Conference in Las Vegas? Don't miss out on the "MPPC's Got Power" talent show, a grand celebration of connection, inspiration, and shared journeys. Whether you're a technical innovator, a talented storyteller, or have a hidden creative side, we want to see what you've got! With three categories to choose from, you have the chance to shine on stage and make your mark in the Microsoft Power Platform community.  Click the GIF to sign up by Thursday 28th September to be part of an unforgettable MPPC23 experience. Now is your time to shine!     Check Out the Low Code Approach Podcast Give the Low Code Approach Podcast a listen! Hosted by Sean Fiene, Wendy Haddad, and Kenric Auguillard, this innovative show shines a light on how Microsoft MVPs, product team members, and Community users are building exciting solutions using Microsoft Power Platform. Plus, with guests like Kartik Kanakasabesan, April Dunnam, Ricardo Duncan Jr., Sonja Gu, Phil Topness, Shane Young and more, this weekly show is a must for all you Business Applications enthusiasts out there. Click the image below to check it out!           COMMUNITY HIGHLIGHTS Check out the most active Community users for August 2023. These hardworking members are posting regularly, answering questions, writing blogs, giving kudos, and providing top solutions in their communities across Power Platform. Huge thanks to these amazing community members for their great contributions last month! trice602poweractivateLaurensMWarrenBelzAmikBCBuizerSamLedcreativeopinion timlExpiscornovusManishSolankiMattJimisonfernandosilvaMisterMarkPstork1saudali_25hafizsultan242Lucas001ragavanrajanp_doc   UPCOMING EVENT: 365 EDUCON CHICAGO Whether you're new to Microsoft 365, Power Platform and SharePoint, or an experienced power user, admin or developer, 365 EduCon has content designed to fit your experience level and area of interest. Their workshops and sessions are taught by Microsoft Certified Trainers, MVPs, Regional Directors, and Engineers. Find out more and register here: Home - Microsoft 365 EduCon Chicago - A Microsoft 365 Conference.  

Announcing the MPPC's Got Power Talent Show at #MPPC23

Are you attending the Microsoft Power Platform Conference 2023 in Las Vegas? If so, we invite you to join us for the MPPC's Got Power Talent Show!      Our talent show is more than a show—it's a grand celebration of connection, inspiration, and shared journeys. Through stories, skills, and collective experiences, we come together to uplift, inspire, and revel in the magic of our community's diverse talents. This year, our talent event promises to be an unforgettable experience, echoing louder and brighter than anything you've seen before.    We're casting a wider net with three captivating categories:  Demo Technical Solutions: Show us your Power Platform innovations, be it apps, flows, chatbots, websites or dashboards... Storytelling: Share tales of your journey with Power Platform. Hidden Talents: Unveil your creative side—be it dancing, singing, rapping, poetry, or comedy. Let your talent shine!    Got That Special Spark? A Story That Demands to Be Heard? Your moment is now!  🚀 Sign up to Showcase Your Brilliance: https://aka.ms/MPPCGotPowerSignUp  🔥 Deadline for submissions: Thursday, Sept 28th    How It Works:  Submit this form to sign up: https://aka.ms/MPPCGotPowerSignUp  We'll contact you if you're selected. Get ready to be onstage!  The Spotlight is Yours: Each participant has 3-5 minutes to shine, with insightful commentary from our panel of judges. We’re not just giving you a stage; we’re handing you the platform to make your mark.     Be the Story We Tell: Your talents and narratives will not just entertain but inspire, serving as the bedrock for our community’s future stories and successes.    Celebration, Surprises, and Connections: As the curtain falls, the excitement continues! Await surprise awards and seize the chance to mingle with industry experts, Microsoft Power Platform leaders, and community luminaries. It's not just a show; it's an opportunity to forge connections and celebrate shared successes.    Event Details:  📆 Date and Time: Wed Oct 4th, 6:30-9:00PM   📍 Location: MPPC23 at the MGM Grand, Las Vegas, NV, USA  

September User Group Success Story: Reading Dynamics 365 & Power Platform User Group

The Reading Dynamics 365 and Power Platform User Group is a community-driven initiative that started in September 2022. It has quickly earned recognition for its enthusiastic leadership and resilience in the face of challenges. With a focus on promoting learning and networking among professionals in the Dynamics 365 and Power Platform ecosystem, the group has grown steadily and gained a reputation for its commitment to its members!   The group, which had its inaugural event in January 2023 at the Microsoft UK Headquarters in Reading, has since organized three successful gatherings, including a recent social lunch. They maintain a regular schedule of four events per year, each attended by an average of 20-25 enthusiastic participants who enjoy engaging talks and, of course, pizza.     The Reading User Group's presence is primarily spread through LinkedIn and Meetup, with the support of the wider community. This thriving community is managed by a dedicated team consisting of Fraser Dear, Tim Leung, and Andrew Bibby, who serves as the main point of contact for the UK Dynamics 365 and Power Platform User Groups.   Andrew Bibby, an active figure in the Dynamics 365 and Power Platform community, nominated this group due to his admiration for the Reading UK User Group's efforts. He emphasized their remarkable enthusiasm and success in running the group, noting that they navigated challenges such as finding venues with resilience and smiles on their faces. Despite being a relatively new group with 20-30 members, they have managed to achieve high attendance at their meetings.   The group's journey began when Fraser Dear moved to the Reading area and realized the absence of a user group catering to professionals in the Dynamics 365 and Power Platform space. He reached out to Andrew, who provided valuable guidance and support, allowing the Reading User Group to officially join the UK Dynamics 365 and Power Platform User Groups community.   One of the group's notable achievements was overcoming the challenge of finding a suitable venue. Initially, their "home" was the Microsoft UK HQ in Reading. However, due to office closures, they had to seek a new location with limited time. Fortunately, a connection with Stephanie Stacey from Microsoft led them to Reading College and its Institute of Technology. The college generously offered them event space and support, forging a mutually beneficial partnership where the group promotes the Institute and encourages its members to support the next generation of IT professionals.   With the dedication of its leadership team, the Reading Dynamics 365 and Power Platform User Group is poised to continue growing and thriving! Their story exemplifies the power of community-driven initiatives and the positive impact they can have on professional development and networking in the tech industry. As they move forward with their upcoming events and collaborations with Reading College, the group is likely to remain a valuable resource for professionals in the Reading area and beyond.

Top Solution Authors
Top Kudoed Authors
Users online (3,415)