Session management

Pega Platform requires users to reauthenticate by entering their login credentials when they are inactive for a certain period of time. The browser session cannot resume until the system accepts the login and password. Requiring reauthentication helps prevent a malicious or unauthorized user from hijacking the browser session. 

If the application server or another external facility manages the session timeout, clear the timeout checkbox if your organization uses an authentication service.

Configure the session timeout by following either of the steps according to the security policies of the organization: 

• On the Advanced tab of the access group.
• In the Advanced configuration settings section of the authentication service (except for Custom/Anonymous/Kerberos type) by enabling the Use access group timeout check box.
• On the Custom tab of authentication service for custom and Kerberos types by enabling the Use PegaRULES Timeout check box.
• In a portal rule that uses the pxSessionTimer section.

If an organization wants to terminate the active sessions of users when they are online for longer than a specific amount of time (for example, 8 hours), create a custom timeout activity by using pxSessionTimer to display the logout screen.

Configure CSRF settings to prevent users from unintentionally making changes because of a CSRF attack. You can set validation for activities and streams, add hostnames to an allow list, and specify hostnames that you want to check for a CSRF token. Pega Platform uses session tokens to mitigate the risk of CSRF attacks. Each user session receives one or more unique tokens, which are made available to the browser for inclusion in the URL of all requests. The system examines each request for a valid token and rejects the request if it detects no token or an invalid token.

For more information, see Enabling and configuring Cross-Site Request Forgery settings.

Cross-origin resource sharing (CORS) policies control how other systems or websites can access resources (APIs and services) provided by your application. For example, Pega Platform uses CORS policies to restrict which Pega robotic client apps can connect to your Pega applications and limit which mobile apps can call Pega mobile services.

To configure a CORS policy, you complete two main tasks:

• Define the CORS policy for an API or REST service by specifying the allowed origins, allowed headers, exposed headers, allowed methods, credential usage, and preflight expiration time. For more information, see Creating a cross-origin resource sharing policy. 
• Map the CORS policy to an endpoint (URL or path) for the API or REST service that you want to protect. For more information, see Mapping an endpoint to a cross-origin resource sharing policy.

As a best practice, inactive users cannot log in to Pega Platform. Each operator ID has a defined number of days of inactivity before the system automatically disables it. However, you can manually disable a user at any time if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, control the auditing of login events, and implement CAPTCHA and multifactor authentication. For more information, see Configuring multi-factor authentication policies.

Check your knowledge with the following interaction: