We are pleased to announce that IP based cookie binding in Dataverse is Generally Available (GA) for all our customers. This security feature will allow the administrators to safeguard Dataverse platform by blocking the cookie replay attack .
IP cookie binding in Dataverse
IP based cookie binding is a security technique that helps protect Dataverse against cookie replay attacks. A cookie replay attack occurs when an attacker intercepts a valid cookie and exploits it to impersonate the user who originally created the cookie. IP based cookie binding addresses this threat by evaluating the IP address associated with the cookie in the request. If the IP address in the request does not match the IP address of the device where the cookie was originally created, the Dataverse API will automatically reject the cookie and prompt the user with a message indicating that their session may have been compromised. This ensures that only the legitimate and authorized user is able to access the protected resources and prevents attackers from using stolen cookies to gain unauthorized access. IP based cookie binding is a real-time solution, which means it can detect and prevent cookie replay attacks as soon as they occur, providing an added layer of security for the customer’s organization.
How can I enable this feature?
Power Platform administrators can enable this feature in their environments via Power Platform admin center. This feature is turned off by default.
- Select the Environments from the left navigation bar and click on the environment where you want to enable this feature.
- Select Settings –> Product –> Privacy + Security
- Turn on the “Enable IP address-based cookie binding”
More details about this feature are available here