cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
michaelgappa1
Frequent Visitor

Power Apps wCookie Management - ASP.NET SessionsID

Does anyone know or can confirm if the Session ID lifetime on any Power Apps Website can be adjusted? I have found documentation that says its lifetime is session (expires after browser is closed), but I haven't found anywhere that it cannot be adjusted?

Cookies in Power Apps portals - Power Apps | Microsoft Learn

1 ACCEPTED SOLUTION

Accepted Solutions
poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

Please make a note of the following:

 

Although I do not know the internal implementation here of Portals or Office 365, note that regardless of the client side lifetime of any cookie, if there are any server side validation checks on the age of the cookie from when it was first made by the server's perspective, then one or more such cookies where such validation is performed, after expired on the server side, can no longer be used to perform any further operations regardless of the client side age of the cookie.

 

Let's suppose it does what you want and the age of every cookie were exactly what you wanted. However suppose the server did not care when any cookie expired. Couldn't you just take any cookie you wanted, and just change the age of it with any client side tool before it expired, and then just wait, and then the server would consider even an expired cookie as valid now? 

 

Actually, if a cookie's validation were modified on the client side to be longer, and the server still discarded it when it was actually past its real expiration date validated on the server, wouldn't it be a sign that the server was doing a better job in that case not relying just on the client side cookie's timestamps?

 

So I think reliance on just what the client side tells you of the cookie as a sign of the security strength of a system is not wise. A sign of a vulnerability may very well be the opposite of what you have noted. If all the cookies have all the right dates on your side, but never validates on the server, that's actually a real vulnerability, because you could just change when the cookies expire and that's all it would take to trigger a system vulnerability, right?

 

Out of curiosity, I would like to know where did you find out that the expiration date of a cookie alone taking into account no other factors, or the fact that a cookie persists for a whole browser session, alone and taking into account no other factors is a sign of any vulnerability. 

 

I don't know the internal implementation but I don't think you have much to worry about here.

If you are still concerned you can try to make a support ticket here:

Create a new Power Platform Support Ticket

However, I am not sure what you would put there because I didn't see any problem here in what you described.

 

View solution in original post

11 REPLIES 11
poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

I believe the timeout for when someone is about to be signed out of Microsoft 365 (which I believe includes Power Apps and anything else they're logged into related to Microsoft 365) can be adjusted. See if below helps you:
Idle session timeout for Microsoft 365

 

I am not sure if this setting affects the sign out timeout of the Power Apps web application - you can try it to see.

I am also not 100% sure if there is a way to adjust the sign out timeout of only Power Apps in particular and nothing else.

michaelgappa1
Frequent Visitor

Thanks, I should have been clearer about what exactly I'm trying to do, sorry about that.

We're using Dynamics Online and we have a power apps portal we use publicly. When someone visits the portal, the cookie generated has an expiration of Session. I attached the image with the highlighted cookie for the particular website.

When I visit the website, it generates the cookie and only expires when you close the browser. That was highlighted as a security vulnerability, and they insisted on changing the lifetime on the cookie. Since its online, I'm assuming there's no way to change that, unless I'm mistaken.

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 I think it is still possible, I might reply in a moment with how you can do it

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

1. Go to yourorg.crm.dynamics.com

2. On upper right notice the settings gear. Click it

3. Click Advanced Settings

poweractivate_0-1670522052486.png

 

4. Now click on the chevron to the right of Settings

poweractivate_0-1670521716903.png

5. Under System click Administration

poweractivate_1-1670521748841.png

6. Click System Settings

poweractivate_2-1670521788483.png

7. Scroll down to Set Session timeout and Set inactivity timeout and configure as desired.

For example click "Set custom" under Session timeout settings

poweractivate_3-1670521876358.png

8 .Configure the maximum session length and timeout warning values.

When done, click OK

poweractivate_4-1670521963310.png

 

See if it helps @michaelgappa1 

 

 

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

If you mean the Portal only try this:

 

Create two site settings in your Portal:

 

Name : Authentication/ApplicationCookie/ExpireTimeSpan
Value : Idle time in the format is in HH:MM:SS. For example, 30 seconds would be 00:00:30
Description: Idle time of the Portal

 

Name : Authentication/ApplicationCookie/LoginPath
Value : /SignIn
Description: This is where the user will be redirected to after the session timeout. You can, for example, create your own custom web page at this location also and then display a custom message for the session timeout on that page.

 

Does it help @michaelgappa1 ?

michaelgappa1
Frequent Visitor

Thanks, I tried this, but it looks like the ASP.NET SessionId still remains before and after user session. It's only when I close the entire browser session and revisit the portal does it change. 

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 

 

Did it change though after you put those Portal settings and does it match the settings you put in?

 

If it did, I am not sure it is possible to apply them instantly, it may be only supported after you close the entire browser session and revisit the portal. If there was indeed some difference after the setting, after you close the entire browser session and revisit the portal, that means it may have worked.

 

Do you want me to check on if you need detail on how to destroy or invalidate all the Portal sessions if that may be something you need?

michaelgappa1
Frequent Visitor

After setting it to 30 seconds, I cleared by browser's cookies and closed the entire browser session. Then I visited the portal and confirmed the ASP.NET SessionID. Once I logged into the Portal, I confirmed it's the same SessionId prior to login. After 30 seconds, I attempted to navigate to another page and I see it logged me out, but the SessionId remains the same. 

As far as the portal sessions, that may be what I need to do. I did some research on ASP.NET_Session_ID and it seems if it's an ASP.NET application you developed using the framework (and not through Power Apps) you can add the script to your app to clear the session. I didn't think you can do that with Power App Portals. 

how to remove SessionID (microsoft.com)

poweractivate
Most Valuable Professional
Most Valuable Professional

@michaelgappa1 What happens when you try both ways, the System Settings and the Portal Settings, and you can try slightly different times as well so you could tell which timeout triggers in which case. Does it help?

 

Note that even if any specific cookie remains valid, whether it's the Office 365 one or the Portals one, there may be more than one cookie involved. If the correct cookies are invalidated and have the correct expiration, that session cookie is of no use anymore and cannot be used to perform any more operations against Office 365 services. If either or both methods cause the timeout to really work, any presence of any other cookies does not matter as I believe they cannot be used to make any further operations against any authenticated user.

 

Please clarify if you are more worried about the Office 365 services as a whole and how it handles cookies, or just your Power Apps portal in particular. I believe what I said applies to both, however you could continue to test and if you found any vulnerability or issue please give more detail in a reply which operation can still be performed against an authenticated user after the configured timeout was reached.

 

See if it helps @michaelgappa1 

Helpful resources

Announcements

Take a short Community User Survey | Help us make your experience better!

To ensure that we are providing the best possible experience for Community members, we want to hear from you!    We value your feedback! As part of our commitment to enhancing your experience, we invite you to participate in a brief 15-question survey. Your insights will help us improve our services and better serve the community.   👉 Community User Survey    Thank you for being an essential part of our community!    Power Platform Engagement Team  

Tuesday Tip | How to Get Community Support

It's time for another Tuesday Tip, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.       This Week: All About Community Support Whether you're a seasoned community veteran or just getting started, you may need a bit of help from time to time! If you need to share feedback with the Community Engagement team about the community or are looking for ways we can assist you with user groups, events, or something else, Community Support is the place to start.   Community Support is part of every one of our communities, accessible to all our community members.   Within each community's Community Support page, you'll find three distinct areas, each with a different focus to help you when you need support from us most. Power Apps: https://powerusers.microsoft.com/t5/Community-Support/ct-p/pa_community_support Power Automate: https://powerusers.microsoft.com/t5/Community-Support/ct-p/mpa_community_support Power Pages: https://powerusers.microsoft.com/t5/Community-Support/ct-p/mpp_community_support Copilot Studio: https://powerusers.microsoft.com/t5/Community-Support/ct-p/pva_community-support   Community Support Form If you need more assistance, you can reach out to the Community Team via the Community support form. Choose the type of support you require and fill in the form accordingly. We will respond to you promptly.    Thank you for being an active part of our community. Your contributions make a difference!   Best Regards, The Community Management Team

Community Roundup: A Look Back at Our Last 10 Tuesday Tips

As we continue to grow and learn together, it's important to reflect on the valuable insights we've shared. For today's #TuesdayTip, we're excited to take a moment to look back at the last 10 tips we've shared in case you missed any or want to revisit them. Thanks for your incredible support for this series--we're so glad it was able to help so many of you navigate your community experience!   Getting Started in the Community An overview of everything you need to know about navigating the community on one page!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Ranks and YOU Have you ever wondered how your fellow community members ascend the ranks within our community? We explain everything about ranks and how to achieve points so you can climb up in the rankings! Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Powering Up Your Community Profile Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile. Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Blogs--A Great Place to Start There's so much you'll discover in the Community Blogs, and we hope you'll check them out today!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Unlocking Community Achievements and Earning Badges Across the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. Check out some details on Community badges--and find out more in the detailed link at the end of the article! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Blogging in the Community Interested in blogging? Everything you need to know on writing blogs in our four communities! Get started blogging across the Power Platform communities today! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Subscriptions & Notifications We don't want you to miss a thing in the community! Read all about how to subscribe to sections of our forums and how to setup your notifications! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Getting Started with Private Messages & Macros Do you want to enhance your communication in the Community and streamline your interactions? One of the best ways to do this is to ensure you are using Private Messaging--and the ever-handy macros that are available to you as a Community member! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Community User Groups Learn everything about being part of, starting, or leading a User Group in the Power Platform Community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Update Your Community Profile Today! Keep your community profile up to date which is essential for staying connected and engaged with the community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Thank you for being an integral part of our journey.   Here's to many more Tuesday Tips as we pave the way for a brighter, more connected future! As always, watch the News & Announcements for the next set of tips, coming soon!

Calling all User Group Leaders and Super Users! Mark Your Calendars for the next Community Ambassador Call on May 9th!

This month's Community Ambassador call is on May 9th at 9a & 3p PDT. Please keep an eye out in your private messages and Teams channels for your invitation. There are lots of exciting updates coming to the Community, and we have some exclusive opportunities to share with you! As always, we'll also review regular updates for User Groups, Super Users, and share general information about what's going on in the Community.     Be sure to register & we hope to see all of you there!

April 2024 Community Newsletter

We're pleased to share the April Community Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members.   If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date with all the news from across Microsoft Power Platform and beyond.    COMMUNITY HIGHLIGHTS   Check out the most active community members of the last month! These hardworking members are posting regularly, answering questions, kudos, and providing top solutions in their communities. We are so thankful for each of you--keep up the great work! If you hope to see your name here next month, follow these awesome community members to see what they do!   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzDeenujialexander2523ragavanrajanLaurensMManishSolankiMattJimisonLucas001AmikcapuanodanilostephenrobertOliverRodriguestimlAndrewJManikandanSFubarmmbr1606VishnuReddy1997theMacResolutionsVishalJhaveriVictorIvanidzejsrandhawahagrua33ikExpiscornovusFGuerrero1PowerAddictgulshankhuranaANBExpiscornovusprathyooSpongYeNived_Nambiardeeksha15795apangelesGochixgrantjenkinsvasu24Mfon   LATEST NEWS Business Applications Launch Event - On Demand In case you missed the Business Applications Launch Event, you can now catch up on all the announcements and watch the entire event on-demand inside Charles Lamanna's latest cloud blog.   This is your one stop shop for all the latest Copilot features across Power Platform and #Dynamics365, including first-hand looks at how companies such as Lenovo, Sonepar, Ford Motor Company, Omnicom and more are using these new capabilities in transformative ways. Click the image below to watch today!     Power Platform Community Conference 2024 is here! It's time to look forward to the next installment of the Power Platform Community Conference, which takes place this year on 18-20th September 2024 at the MGM Grand in Las Vegas!   Come and be inspired by Microsoft senior thought leaders and the engineers behind the #PowerPlatform, with Charles Lamanna, Sangya Singh, Ryan Cunningham, Kim Manis, Nirav Shah, Omar Aftab and Leon Welicki already confirmed to speak. You'll also be able to learn from industry experts and Microsoft MVPs who are dedicated to bridging the gap between humanity and technology. These include the likes of Lisa Crosbie, Victor Dantas, Kristine Kolodziejski, David Yack, Daniel Christian, Miguel Félix, and Mats Necker, with many more to be announced over the coming weeks.   Click here to watch our brand-new sizzle reel for #PPCC24 or click the image below to find out more about registration. See you in Vegas!     Power Up Program Announces New Video-Based Learning Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram. These include a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the image below to find out more!     UPCOMING EVENTS Microsoft Build - Seattle and Online - 21-23rd May 2024 Taking place on 21-23rd May 2024 both online and in Seattle, this is the perfect event to learn more about low code development, creating copilots, cloud platforms, and so much more to help you unleash the power of AI.   There's a serious wealth of talent speaking across the three days, including the likes of Satya Nadella, Amanda K. Silver, Scott Guthrie, Sarah Bird, Charles Lamanna, Miti J., Kevin Scott, Asha Sharma, Rajesh Jha, Arun Ulag, Clay Wesener, and many more.   And don't worry if you can't make it to Seattle, the event will be online and totally free to join. Click the image below to register for #MSBuild today!     European Collab Summit - Germany - 14-16th May 2024 The clock is counting down to the amazing European Collaboration Summit, which takes place in Germany May 14-16, 2024. #CollabSummit2024 is designed to provide cutting-edge insights and best practices into Power Platform, Microsoft 365, Teams, Viva, and so much more. There's a whole host of experts speakers across the three-day event, including the likes of Vesa Juvonen, Laurie Pottmeyer, Dan Holme, Mark Kashman, Dona Sarkar, Gavin Barron, Emily Mancini, Martina Grom, Ahmad Najjar, Liz Sundet, Nikki Chapple, Sara Fennah, Seb Matthews, Tobias Martin, Zoe Wilson, Fabian Williams, and many more.   Click the image below to find out more about #ECS2024 and register today!   Microsoft 365 & Power Platform Conference - Seattle - 3-7th June If you're looking to turbo boost your Power Platform skills this year, why not take a look at everything TechCon365 has to offer at the Seattle Convention Center on June 3-7, 2024.   This amazing 3-day conference (with 2 optional days of workshops) offers over 130 sessions across multiple tracks, alongside 25 workshops presented by Power Platform, Microsoft 365, Microsoft Teams, Viva, Azure, Copilot and AI experts. There's a great array of speakers, including the likes of Nirav Shah, Naomi Moneypenny, Jason Himmelstein, Heather Cook, Karuana Gatimu, Mark Kashman, Michelle Gilbert, Taiki Y., Kristi K., Nate Chamberlain, Julie Koesmarno, Daniel Glenn, Sarah Haase, Marc Windle, Amit Vasu, Joanne C Klein, Agnes Molnar, and many more.   Click the image below for more #Techcon365 intel and register today!   For more events, click the image below to visit the Microsoft Community Days website.    

Tuesday Tip | Update Your Community Profile Today!

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   We're excited to announce that updating your community profile has never been easier! Keeping your profile up to date is essential for staying connected and engaged with the community.   Check out the following Support Articles with these topics: Accessing Your Community ProfileRetrieving Your Profile URLUpdating Your Community Profile Time ZoneChanging Your Community Profile Picture (Avatar)Setting Your Date Display Preferences Click on your community link for more information: Power Apps, Power Automate, Power Pages, Copilot Studio   Thank you for being an active part of our community. Your contributions make a difference! Best Regards, The Community Management Team

Top Solution Authors
Top Kudoed Authors
Users online (3,036)