ApplicationInsights-JS icon indicating copy to clipboard operation
ApplicationInsights-JS copied to clipboard
verified publisher icon microsoft

[BUG] disableCookiesUsage in config is not working as expected

Open cjsahansra opened this issue 3 years ago • 1 comments

Description/Screenshot Using ApplicationInsights SDK on a React Next.js application. I am trying to disable the cookie usage due to an issue with Azure WAF. In WAF logs, some requests are blocked due to WAF Managed Rules. After adding config to disable cookies, on my local dev environment, I see that the ai_session and ai_user cookies are not being created. But when deployed to Azure, the two AI cookies are still being created.

  • OS/Browser: MS Edge

  • SDK Version [e.g. 22]:
    @microsoft/applicationinsights-web package version 2.8.4

  • How you initialized the SDK:

const appInsights = new ApplicationInsights({
    config: {instrumentationKey, disableCookiesUsage: true, cookieCfg: {enabled: false}}
  });
  appInsights.loadAppInsights();

Expected behavior Expect cookies to not be created

cjsahansra avatar Jul 28 '22 18:07 cjsahansra

If your local dev instance is not creating the cookies then "your" SDK instance that you are configuring is operating correctly.

When deployed to Azure, it sounds like one (or multiple) of the following is occurring

  • Your config (for you instance) is not being used during initialization (This is probably unlikely -- assuming that your code is being successfully deployed)
  • Any previous cookies don't automatically get removed (but the SDK also won't read them) -- just validate via F12 to remove them (if you haven't already)
  • The most likely cause though is that you application has an "automatic" Azure Monitor getting auto injected into the HTML page, this normally adds a "snippet" which then downloads the SDK from the CDN.
    • This WILL occur if you are using NPM packages and the "switch" is enabled.
    • If your already using the snippet, the "automatic" code generally "looks" for the presents and doesn't inject another instance.
    • This is either enabled via the Azure Portal for your deployment (don't remember exactly where) but can also be the version of the .Net SDK (normally a NuGet package), so your application ends up injecting it via your master pages -- local development may not show this because the runtime environment doesn't contain the connection string.
    • Solution:
      • For the Azure portal you should be able to toggle the "Azure Monitor" off for your selected runtime
      • If it's the NuGet package, I think (not my area) that there is generally "something" on your razor templates that is injecting it -- find and remove.

Reviewing the returned page from the deployed Azure instance and tracking down if there is an additional instance getting downloaded / initialized would be the place to start.

MSNev avatar Jul 28 '22 19:07 MSNev

This Issue will be closed in 30 days. Please remove the "Stale" label or comment to avoid closure with no action.

github-actions[bot] avatar May 25 '23 07:05 github-actions[bot]