Skip to main content
Verify the version tags to ensure you are consuming the intended content or, complete the latest version.

Session management

After initial authentication, session management features ensure that requests for access to the system (and its data) continue to come from authenticated requestors. Pega Platform™ allocates a session object on behalf of the user by using a randomly generated, unique session value to identify the session object. The session ID contains enough entropy (greater than 128 bits) to prevent collisions and successful guessing by attackers. It does not contain sensitive information and serves only to identify the user’s session. An encrypted form of this value is included as a cookie value in HTTP responses to the client and sent to Pega Platform in all requests. Decryption occurs only by Pega Platform. The HTTPOnly security setting protects the cookie against client access.  

In Pega Platform, you can define various session management policies:

  • Session time-outs
  • Automatically terminate sessions
  • Cross-Site Request Forgery (CSRF)
  • Cross-Origin Resource Sharing (CORS) 
  • Deactivate operators after successive days of inactivity

Session time-outs

When users are inactive for a certain period of time, Pega Platform requires users to reauthenticate by entering their login credentials. The browser session cannot resume until the login and password are accepted. Requiring reauthentication helps prevent a malicious or unauthorized user from hijacking the browser session.

If the session time-out is managed by the application server or another external facility, the timeout check box must be cleared if your organization uses an authentication service.

Session timeout can be configured according to the organization’s security policies:

  • In the Advanced tab of the access group
  • In the Advanced configuration settings of the Authentication Service(except for Custom/Anonymous/Kerberos type) by enabling the Use access group timeout
  • In the Custom tab of Authentication Service for Custom/Kerberos types by enabling Use PegaRULES Timeout
  • In a Portal rule using the pxSessionTimer section

Automatically terminate sessions

If an organization wants to terminate users' active sessions when they are online for longer than a specific amount of time, for example, 8 hours, it is recommended to create a custom timeout activity using pxSessionTimer to display the logoff screen.

Cross-Site Request Forgery

Configure cross-site request forgery (CSRF) settings to prevent users from unintentionally making changes because of a CSRF attack. You can set validation for activities and streams, add hostnames to an allow list, and specify hostnames that you want to be checked for a CSRF token. Pega Platform uses session tokens to mitigate the risk of CSRF attacks. Each user session is assigned one or more unique tokens. These tokens are made available to the browser for inclusion in the URL of all requests. Each request is examined for a valid token and is rejected if either no token or an invalid token is provided.

To enable or change default settings, in the header of Dev Studio, click Configure > System > Settings > Cross-Site Request Forgery.

Cross-Origin Resource Sharing

Cross-origin resource sharing (CORS) policies control how other systems or websites can access resources (APIs and services) provided by your application. For example, Pega Platform uses CORS policies to restrict which Pega robotic client apps can connect to your Pega applications and limit which mobile apps can call Pega mobile services.

To configure a CORS policy, you complete two main tasks:

  • Define the CORS policy for an API or REST service by specifying the allowed origins, allowed headers, exposed headers, allowed methods, credential usage, and preflight expiration time. In the header of Dev Studio, click Create > Security > Cross Origin Resource Sharing.
  • Map the CORS policy to an endpoint (URL or path) for the API or REST service that you want to protect. In the header of Dev Studio, click Configure > Integration > Services > Endpoint-CORS Policy Mapping.

Deactivate operators after successive days of inactivity

An inactive operator should not be able to log in to the Pega Platform. Each operator ID has a defined number of days of inactivity before being automatically disabled. However, you can manually disable an operator at any time, if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, control the auditing of login events, and implement CAPTCHA and multifactor authentication. In the header of Dev Studio, click Configure > Org & Security > Authentication > Security Policies.

This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice