Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Session cookie does not contain HttpOnly Attribute

SA-52806

 

Summary

 


Pega-RULES cookie is not httponlyCookies with out "HTTPOnly" attribute are permitted to be accessed via JavaScript Cross-site scripting attacks can steal to session cookies which could lead to user impersonation or compromise of the application account. 

 

 

 

Error Messages

 


Not Applicable

 

 

 

Steps to Reproduce

 


Not Applicable

 

 

 

Root Cause

 


Not Applicable

 

 

 

 

Resolution

 


Perform the following local-change steps:

1. Add the below DSS/prconfig to the make set-cookie attribute to httponly for Pega-RULES cookie:

 

 

 

 

DSS: purpose - prconfig/cookie/httponly/default (default can vary based on node classification)
         Ruleset  - Pega-Engine
         Value     - true

prconfig.xml   <env name="cookie/httponly" value ="true"/>

2. Restart the server after this DSS/prconfig is set.

 

 

 


 

 

 

 

Tags:

Pega Platform 7.2.1 Pega Platform

Published July 23, 2018 - Updated January 7, 2021

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice