Session management

When users are inactive for a certain period of time, Pega Platform requires users to reauthenticate by entering their login credentials. The browser session cannot resume until the login and password are accepted. Requiring reauthentication helps prevent a malicious or unauthorized user from hijacking the browser session.

If the session time-out is managed by the application server or another external facility, the timeout check box must be cleared if your organization uses an authentication service.

Session timeout can be configured according to the organization’s security policies:

• In the Advanced tab of the access group
• In the Advanced configuration settings of the Authentication Service(except for Custom/Anonymous/Kerberos type) by enabling the Use access group timeout
• In the Custom tab of Authentication Service for Custom/Kerberos types by enabling Use PegaRULES Timeout
• In a Portal rule using the pxSessionTimer section

If an organization wants to terminate users' active sessions when they are online for longer than a specific amount of time, for example, 8 hours, it is recommended to create a custom timeout activity using pxSessionTimer to display the logoff screen.

Configure cross-site request forgery (CSRF) settings to prevent users from unintentionally making changes because of a CSRF attack. You can set validation for activities and streams, add hostnames to an allow list, and specify hostnames that you want to be checked for a CSRF token. Pega Platform uses session tokens to mitigate the risk of CSRF attacks. Each user session is assigned one or more unique tokens. These tokens are made available to the browser for inclusion in the URL of all requests. Each request is examined for a valid token and is rejected if either no token or an invalid token is provided.

To enable or change default settings, in the header of Dev Studio, click Configure > System > Settings > Cross-Site Request Forgery.

Cross-origin resource sharing (CORS) policies control how other systems or websites can access resources (APIs and services) provided by your application. For example, Pega Platform uses CORS policies to restrict which Pega robotic client apps can connect to your Pega applications and limit which mobile apps can call Pega mobile services.

To configure a CORS policy, you complete two main tasks:

• Define the CORS policy for an API or REST service by specifying the allowed origins, allowed headers, exposed headers, allowed methods, credential usage, and preflight expiration time. In the header of Dev Studio, click Create > Security > Cross Origin Resource Sharing.
• Map the CORS policy to an endpoint (URL or path) for the API or REST service that you want to protect. In the header of Dev Studio, click Configure > Integration > Services > Endpoint-CORS Policy Mapping.

An inactive operator should not be able to log in to the Pega Platform. Each operator ID has a defined number of days of inactivity before being automatically disabled. However, you can manually disable an operator at any time, if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, control the auditing of login events, and implement CAPTCHA and multifactor authentication. In the header of Dev Studio, click Configure > Org & Security > Authentication > Security Policies.