Session management

Pega Platform requires reauthentication from users who are inactive for a certain period of time. The system requires login credentials before resuming the browser session. Reauthentication prevents malicious or unauthorized users from hijacking the browser session. 

If the application server or another external facility manages the session timeout, clear the timeout checkbox if your organization uses an authentication service. 

You configure the session timeout in the following areas, depending on the security policies of the organization:

• On the Advanced tab of the Access Group. 
• In the Advanced configuration settings section of the authentication service (except for Custom/Anonymous/Kerberos type) by selecting the Use access group timeout checkbox. 
• On the Custom tab of the authentication service for custom and Kerberos facilities by selecting the Use PegaRULES Timeout checkbox. 

To terminate active user sessions after a specific amount of time (for example, 8 hours), create a custom timeout activity by using pxSessionTimer to display the logout screen. 

Configure CSRF settings to prevent attacks that cause users to make unintentional changes. Pega Platform uses a token-based mitigation strategy to protect against CSRF. The system assigns one or more unique tokens to each session by using a cryptographically secure random number generator. These tokens appear in URLs and must be present in all requests that change the application state. 

When CSRF mitigation is enabled, Pega Platform checks each incoming request for a valid token. If the token is missing or invalid, the system rejects the request. This validation prevents attackers from forcing users to perform unwanted actions.

CSRF protection targets state-changing requests that attackers initiate through social engineering. This protection does not prevent data theft directly because attackers cannot view the response to forged requests. However, by blocking unauthorized state changes, CSRF protection secures critical operations such as fund transfers, password changes, and Case updates.

For more information, see Enabling and configuring Cross-Site Request Forgery settings.

CORS policies define how browsers and servers determine whether to allow cross-origin requests. In Pega Platform, CORS policies apply only to REST services and only to browser-based requests. This distinction is important: CORS does not apply to server-side integrations, Java-based service consumers, or API testing tools such as Postman. CORS applies only when JavaScript code running in a browser attempts to send cross-origin requests to Pega REST services.

CORS enables servers to allow specific cross-origin requests by relaxing the browser's same-origin policy in a controlled way. By default, browsers restrict JavaScript from accessing resources on domains other than the one that served the web page. This restriction helps prevent malicious scripts from retrieving sensitive data across sites. CORS defines a standardized method that servers use to specify which cross-origin requests are permitted, supporting secure and legitimate cross-domain communication.

Implementing CORS policies supports security and reduces costs while allowing controlled access to resources from other systems or websites.

As a best practice, inactive users cannot log in to Pega Platform. Each operator ID has a defined number of days of inactivity before the system automatically disables it. However, you can manually disable a user at any time if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session timeouts and disable operator IDs, and control the auditing of login events.

When designing enterprise Pega applications, Lead System Architects should consider several key architectural decisions related to session management:

Timeout strategy design

Balance security and usability by configuring session timeouts that meet compliance requirements without disrupting user workflows. Use pxSessionTimer-based warning dialogs to notify users before automatic logout and reduce the risk of data loss.

Concurrent session policies

Decide whether to allow multiple active sessions per user or enforce single-session restrictions. Pega Platform automatically disconnects older sessions when the concurrent session limit is reached, which improves usability while maintaining security.

Integration session management

Design authentication and session coordination across system boundaries. For OAuth 2.0 integrations, align token lifetimes with Pega session timeouts. For single sign-on, ensure session synchronization between the identity provider and Pega Platform.

Performance and scalability

In high-volume environments, session management affects system resources. Use stateless session designs for API-intensive applications, apply Data Page caching to reduce memory usage, and configure load balancing with session affinity to support horizontal scaling.

Security hardening

Apply defense-in-depth techniques to secure sessions. Enable HTTPOnly and Secure cookie flags, configure CSRF protection, define CORS policies for APIs, and audit session timeout settings regularly to support alignment with security standards.

Check your knowledge with the following interaction: