Support Article

How to set cookies to HTTP-Only?



How to set JESSIONID, LB, and Pega-Rules cookies to HTTPOnly and secure?


  1. Apply HFix-9206.
  2. Add <env name="cookie/HttpOnly" value="true" /> to prconfig.xml file.
  3. Add the following line to prconfig.xml file (no hotfix needed) to set secure on cookies: <env value="true" name="HTTP/SetSecureCookie"/>
Note: The two options are available out of the box and no hotfix is required in Pega 7.1.
Suggest Edit

Published November 30, 2016 - Updated October 8, 2020

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.