When discussing Power Apps Portal cookies, we must review the common definition of web cookies.
According to Wikipedia, HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the another deviceter or another device by the user’s web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user’s device during a session.
Power Apps Portal cookies
More information about the cookies https://docs.microsoft.com/en-us/power-apps/maker/portals/admin/portal-cookies
When using the Power Apps portal—beingountered two issues involving cookies. Being compliant with regulations such as GDPR and handling non HTMLOnly cookies. This article will cover the two issues and my findings.
Cookies are essential
The first idea that came to my mind to avoid any cookie i; cookiesurn it off. This isn’t possible; cookies are essential for the portal to work, and we can’t turn it off. Thus, we need to analyze any issues with the cookies.
According to The General Data Protection Regulation (GDP), essentials are an important tool that can give businesses a great deal of insight into their users’ online activity; however, the realized importance of organizations using cookies and storing EU citizens’ data to obtain users’ consent.
For detailed guidance on GDPR cookies compliance, check the link.
Again, we cant turn Power Apps Portal cookies off. Therefore, a script to claim users’ consent using a script.
A sample notification to obtain users’ uses of cookies.
Working out in Canada, our portal doesn’t require users’ consent until writing this article.
Again, we need to review what HTTPOnly cookies are to understand turity concern if the flag is not set.
Simply, it is advised to flag the HTTPOnly attribute. When checking the cookies used in a Power Apps Page, we can see that the HTTPOnly is not checked for all the cookies.
Highlighting the cookies that don’t include the “HTTPOnly” attribute.
- ContextLanguageCode – Stores the default language of the user accessing portal within a session and across webpages. The cookie is deleted after the session closes.
- isDSTObserved – Stores a value to indicate if the current moment is in daylight saving time.
- isDSTSupport – Indicates whether a specified date and time falls in the range of daylight saving time.
- timezoneoffset – Stores the timezone difference between UTC and Local browser time.
I mentioned earlier that we couldn’t turn off the cookies, and now, we need to mention that we can’t change the attributes of the cookies by setting the HTTPOnly flag on.
HTTPOnly flag is needed to protect cookies which are needed to be accessed only on the server. The cookies mentioned here are needed on the client, and hence client-side script needs to access them. These cookies don’t store any sensitive information and hence HTTPOnly flag is not needed for them.
My finding is there is a threat in the cookies for the following reasons.
- The used HTTPOnly cookies are consumed on the client side scripting only and not passed over to the server.
- All four cookies store only the user browser’s default language and time-zone-related information. No user-sensitive data is stored.