# MIM4U Portals — Session Cookie Configuration

**Purpose:** Ensure Portals (and any auth) use secure session cookies: `HttpOnly`, `Secure`, `SameSite`.

## Where to configure

- **Azure Static Web Apps / Entra (Azure AD):** If MIM4U uses Azure for auth, session cookies are typically set by the platform. In Azure Portal → App registrations → your app → Authentication, ensure:
  - Redirect URIs use `https://mim4u.org` (and `https://secure.mim4u.org` if used).
  - Implicit grant and legacy options are off unless required.
- **Custom API (VMID 7811):** If the API issues its own session cookies (e.g. JWT in cookie or session id), set when setting the cookie:
  - `HttpOnly=true`
  - `Secure=true` (only over HTTPS)
  - `SameSite=Lax` or `Strict`
  - `Path=/` or the minimal path needed

## Example (Node/Express-style)

```javascript
res.cookie('session', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',
  path: '/',
  maxAge: 24 * 60 * 60 * 1000
})
```

## NPMplus / nginx

NPMplus terminates SSL; it does not set application session cookies. Cookie flags are set by the application (Azure or API on 7811).