31 lines
1.1 KiB
Markdown
31 lines
1.1 KiB
Markdown
|
# MIM4U Portals — Session Cookie Configuration
|
||
|
|
|
||
|
|
**Purpose:** Ensure Portals (and any auth) use secure session cookies: `HttpOnly`, `Secure`, `SameSite`.
|
||
|
|
|
||
|
|
## Where to configure
|
||
|
|
|
||
|
|
- **Azure Static Web Apps / Entra (Azure AD):** If MIM4U uses Azure for auth, session cookies are typically set by the platform. In Azure Portal → App registrations → your app → Authentication, ensure:
|
||
|
|
- Redirect URIs use `https://mim4u.org` (and `https://secure.mim4u.org` if used).
|
||
|
|
- Implicit grant and legacy options are off unless required.
|
||
|
|
- **Custom API (VMID 7811):** If the API issues its own session cookies (e.g. JWT in cookie or session id), set when setting the cookie:
|
||
|
|
- `HttpOnly=true`
|
||
|
|
- `Secure=true` (only over HTTPS)
|
||
|
|
- `SameSite=Lax` or `Strict`
|
||
|
|
- `Path=/` or the minimal path needed
|
||
|
|
|
||
|
|
## Example (Node/Express-style)
|
||
|
|
|
||
|
|
```javascript
|
||
|
|
res.cookie('session', token, {
|
||
|
|
httpOnly: true,
|
||
|
|
secure: true,
|
||
|
|
sameSite: 'lax',
|
||
|
|
path: '/',
|
||
|
|
maxAge: 24 * 60 * 60 * 1000
|
||
|
|
})
|
||
|
|
```
|
||
|
|
|
||
|
|
## NPMplus / nginx
|
||
|
|
|
||
|
|
NPMplus terminates SSL; it does not set application session cookies. Cookie flags are set by the application (Azure or API on 7811).
|