Azure AD Application Proxy Cookie Settings
We’ve heard your feedback around needing more control over your application’s cookie flags due to requirements such as security compliance. I’m excited to share that you will now see three cookie settings for your applications published through Application Proxy.
1. Use HTTP-Only Cookie
Sets the HTTPOnly flag on your Application Proxy access and session cookies to provide additional security benefits such as preventing actions like copying or modifying the cookies from client side scripting. Although, Application Proxy has not used this flag in the past, the cookies have always been encrypted and transmitted in an SSL connection to protect against modification.
When to use: We recommend to keep this setting on for its additional security benefits. Note leave this set to no for clients/user agents that do require access to the session cookie. E.g. RDP/MTSC client connecting to a Remote Desktop Gateway published via Application Proxy.
2. Use Secure Cookie
Sets the Secure flag on your Application Proxy access and session cookies to enhance security by ensuring that the cookie is only transmitted over TLS secure channels such as HTTPS and not over an unencrypted HTTP request. This prevents cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.
When to use: We recommend to keep this setting on for its additional security benefits.
3. Use Persistent Cookie
Sets the access cookie to not expire when the web browser is closed. The cookie will last for the duration of the lifetime of the access token. These cookies are reset if the expiration time is reached or the user manually deletes the cookie.
When to use: We recommend keeping this setting at its default, off. This setting should be avoided and only used for older applications that cannot share cookies between processes. It is preferred to update your application to handle sharing cookies between processes instead of using this setting.
For more detailed information on how to start using this feature see our documentation here.
As always we love hearing your feedback or suggestions! Please send us a note at aadapfeedback@microsoft.com or suggest an idea on our User Voice form at: https://aka.ms/aadapuservoice.