Session management

Pega Platform requires reauthentication from users who are inactive for a certain period of time. The system requires login credentials before resuming the browser session. Reauthentication prevents malicious or unauthorized users from hijacking the browser session. 

If the application server or another external facility manages the session timeout, clear the timeout checkbox if your organization uses an authentication service. 

Configure the session in the following areas, depending on the security policies of the organization.

• On the Advanced tab of the Access Group. 
• In the Advanced configuration settings section of the authentication service (except for Custom/Anonymous/Kerberos type), select the Use access group timeout checkbox. 
• On the Custom tab of the authentication service for custom and Kerberos facilities, select the Use PegaRULES Timeout checkbox. 

To terminate active user sessions after a specific amount of time (for example, 8 hours), create a custom timeout activity using pxSessionTimer to display the logout screen. 

Configure CSRF settings to prevent CSRF attacks that can cause users to make unintentional changes. You can set validation for activities and streams, add hostnames to an allow list, and specify hostnames to check for a CSRF token. Pega Platform uses session tokens to mitigate the risk of CSRF attacks. Each user session receives one or more unique tokens that are available to the browser for inclusion in the URL of all requests. The system examines each request for a valid token and rejects the request if it detects no token or an invalid token. 

For more information, see Enabling and configuring Cross-Site Request Forgery settings.

CORS policies define a method that enables a browser and server to interact and determine whether it is safe to allow a cross-origin request. A CORS policy enables cross-domain requests and only applies to cross-domain browser requests. In Pega Platform, CORS policies can only be associated with REST services. CORS is not applicable if the system sends request through server-side logic, such as in Java code, or with a non-JavaScript client, such as Postman.

Implementing CORS policies enhances security and reduces costs while allowing controlled access to resources from other systems or websites.

As a best practice, inactive users cannot log in to Pega Platform. Each operator ID has a defined number of days of inactivity before the system automatically disables it. However, you can manually disable a user at any time if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, and control the auditing of login events.

Check your knowledge with the following interaction: