Skip to main content

Session management

After initial authentication, session management features help ensure that requests for access to the system and its data continue to come from authenticated requestors. Pega Platform™ allocates a session object on behalf of the user by using a randomly generated, unique session. The session ID contains enough entropy (greater than 128 bits) to prevent collisions and successful guessing by attackers. It does not contain sensitive information and only identifies the user’s session. HTTP responses to the client include an encrypted form of this value as a cookie and then send it to Pega Platform in all requests. Pega Platform decrypts the cookie. The HTTPOnly security setting protects the cookie against client access. 

In Pega Platform, you can define the session management policies, including:

  • Session timeouts.
  • Automatic termination of user sessions.
  • Cross-site request forgery (CSRF).
  • Deactivation of users after successive days of inactivity.

Session timeouts

Pega Platform requires reauthentication from users who are inactive for a certain period of time. The system requires login credentials before resuming the browser session. Reauthentication prevents malicious or unauthorized users from hijacking the browser session. 

If the application server or another external facility manages the session timeout, clear the timeout checkbox if your organization uses an authentication service. 

Configure the session timeout by following one of these steps, depending on the organization's security policies: 

  • On the Advanced tab of the access group. 

  • In the Advanced configuration settings section of the authentication service (except for Custom/Anonymous/Kerberos type), by enabling the Use access group timeout checkbox. 

  • On the Custom tab of the authentication service for custom and Kerberos facilities by enabling the Use PegaRULES Timeout checkbox. 

Automatic termination of user sessions

To terminate active user sessions after a specific amount of time (for example, 8 hours), create a custom timeout activity using pxSessionTimer to display the logout screen. 

Cross-site request forgery

Configure CSRF settings to prevent CSRF attacks that can cause users to make unintentional changes. You can set validation for activities and streams, add hostnames to an allow list, and specify hostnames to check for a CSRF token. Pega Platform uses session tokens to mitigate the risk of CSRF attacks. Each user session receives one or more unique tokens that are available to the browser for inclusion in the URL of all requests. The system examines each request for a valid token and rejects the request if it detects no token or an invalid token. 

For more information, see Enabling and configuring Cross-Site Request Forgery settings.

Deactivation of users after successive days of inactivity

As a best practice, inactive users cannot log in to Pega Platform. Each operator ID has a defined number of days of inactivity before the system automatically disables it. However, you can manually disable a user at any time if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, control the auditing of login events.


Check your knowledge with the following interaction:

This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice