Skip to content
Advertisement

Application Insights secure cookies

Hi I have a WebApp on which I am using Application Insights with the Javascript SDK. In the Chrome developer tools I see that there are 2 cookier, ai_user and ai_session, which are not secure. I have already changed the code in my app to have all other cookies as secure, but I can’t manage to have these ones also as secure. I posted a question directly on the Microsoft Application Insights documentation page and they told me to update the script, which led to an error that I fixed, but still the cookies are not secure (Details are in my comment from the comment section of the link above, which is presently the first top comment in the section). I asked them back but they no longer replied to me.

My current code to initialize application insights is

var appInsights = window.appInsights || function (n) {
            function t(n) { i[n] = function () { var t = arguments; i.queue.push(function () { i[n].apply(i, t) }) } } var i = { config: n }, u = document, e = window, o = "script", s = "AuthenticatedUserContext", h = "start", c = "stop", l = "Track", a = l + "Event", v = l + "Page", y = u.createElement(o), r, f; y.src = n.url || "CDN_PATH"; u.getElementsByTagName(o)[0].parentNode.appendChild(y); try { i.cookie = u.cookie } catch (p) { } for (i.queue = [], r = ["Event", "Exception", "Metric", "PageView", "Trace", "Dependency"]; r.length;) t("track" + r.pop()); return t("set" + s), t("clear" + s), t(h + a), t(c + a), t(h + v), t(c + v), t("flush"), n.disableExceptionTracking || (r = "onerror", t("_" + r), f = e[r], e[r] = function (n, t, u, e, o) { var s = f && f(n, t, u, e, o); return s !== !0 && i["_" + r](n, t, u, e, o), s }), i
        }({
            url: '//az416426.vo.msecnd.net/scripts/a/ai.0.js',
            enableDebug: __solutionConfigurationIsDebug,
            instrumentationKey: __applicationInsightsInstumentationKey
        });

        window.appInsights = appInsights;
        appInsights.trackPageView('index.html');

I had to add the ‘url’ property otherwise it was pointing to “localhost/CDN_PATH” which is of course wrong.

Update: I also found this issue on GitHub which seems to be exactly what I am looking for but it’s still open…

Answer

Ok, since I have found no better way to do this, I have decompressed the source code of ApplicationInsights (to be found here and changed line 254 like that:

i.canUseCookies() && (i.document.cookie = n + "=" + t + u + ";secure;path=/")

(in short I have added the ‘secure;’ string to the existing string). I have then re-compressed the js code and changed my AI initialization script like so:

var snippet = {
            config: {
                enableDebug: __solutionConfigurationIsDebug,
                instrumentationKey: __applicationInsightsInstumentationKey
            }
        };
        var init = new Microsoft.ApplicationInsights.Initialization(snippet);
        var appInsights = init.loadAppInsights();

Now it works (cookies are now set as secure), but I am still open to better approaches. This would probably mean to fork the corresponding GitHub repository, I will maybe try that later.

Advertisement