Session management

Pega Platform requires reauthentication from users who are inactive for a certain period of time. The system requires login credentials before resuming the browser session. Reauthentication prevents malicious or unauthorized users from hijacking the browser session. 

If the application server or another external facility manages the session timeout, clear the timeout checkbox if your organization uses an authentication service. 

Configure the session timeout by following one of these steps based on the organization's security policies: 

• On the Advanced tab of the access group. 

• In the Advanced configuration settings section of the authentication service (except for Custom/Anonymous/Kerberos type) by enabling the Use access group timeout check box. 

• On the Custom tab of authentication service for custom and Kerberos types by enabling the Use PegaRULES Timeout check box. 

• In a portal rule that uses the pxSessionTimer section. 

To terminate active user sessions after a specific amount of time (e.g. 8 hours), create a custom timeout activity using pxSessionTimer to display the logout screen. 

Configure CSRF settings to prevent CSRF attacks that can cause users to make unintentional changes. You can set validation for activities and streams, add hostnames to an allow list, and specify hostnames to check for a CSRF token. Pega Platform uses session tokens to mitigate the risk of CSRF attacks. Each user session receives one or more unique tokens that are available to the browser for inclusion in the URL of all requests. The system examines each request for a valid token and rejects the request if it detects no token or an invalid token. 

For more information, see Enabling and configuring Cross-Site Request Forgery settings.

Cross-origin resource sharing (CORS) policies control how other systems or websites can access resources (APIs and services) provided by your application. For example, Pega Platform uses CORS policies to restrict which Pega robotic client apps can connect to your Pega applications and limit which mobile apps can call Pega mobile services.

To configure a CORS policy, you complete two main tasks:

Define the CORS policy for an API or REST service by specifying the allowed origins, allowed headers, exposed headers, allowed methods, credential usage, and preflight expiration time. For more information, see Creating a cross-origin resource sharing policy.

Map the CORS policy to an endpoint (URL or path) for the API or REST service that you want to protect. For more information, see Mapping an endpoint to a cross-origin resource sharing policy.

As a best practice, inactive users cannot log in to Pega Platform. Each operator ID has a defined number of days of inactivity before the system automatically disables it. However, you can manually disable a user at any time if necessary. Enable security policies for user authentication and session management to improve application security. You can control the strength of user IDs and passwords, manage session time-outs and the disabling of operator IDs, control the auditing of login events, see Configuring multi-factor authentication policies. 

Check your knowledge with the following interaction: