Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Unauthenticated requestor timeout prevents MFA

SA-48652

Summary



User is using Pega 7.2 and has implemented two factor authentication using custom coding.

In the first step they are using LDAP authentication and then they are using custom code to get passcode using Google authenticator API.

After the LDAP credential is validated, an e-mail is sent out to the user with the Google authenticator passcode.

This passcode is stored in database and overwritten each time user tries to authenticate. User is supposed to enter the passcode in the next step to be able to login into Pega. As the passcode is e-mailed, sometimes the it takes 4-5 minutes to for the user to receive the mail and by the time they enter the passcode, the unauthenticated requestor times out due to which they are unable to proceed with the two factor authentication and login into Pega.

User is aware of the fact that "unauthenticated requestor times out within a minute, and there is no setting to change it. User also understands that having short timeout is to avoid having multiple unauthenticated requestors sitting idle and consuming resources".

But to be able to implement the security requirement for multi-factor authentication, user requested Pega to provide a configurable option for changing the unauthenticated requestor timeout value.


Error Messages



Not Applicable


Steps to Reproduce

  1. Implement two factor authentication that shows a challenge screen to user to enter Google authenticator passcode after LDAP authentication.
  2. Delay entering the passcode by more than a minute and by the time passcode is entered to finally login into Pega, the unauthenticated requestor timeout. The unauthenticated requestor timeout can be reproduced by going to login screen on any Pega 7.2 instance and then waiting for more than a minute before logging in.


Root Cause



A defect in Pegasystems’ code or rules is identified as root cause.

The unauthenticated requestor timeout is deliberately set to 1 minute with Pega code. Unauthenticated requestors pile up in memory for more time which causes memory overhead. Also it increases the chances of bruteforce attack if more time is specified for the unauthenticated timeout value.

Someone can just hit the login screen multiple times and which creates an unauthenticated requestor for each access.

And if these are not cleaned up immediately the system might come down within no time. This is the main reason for cleaning up the unauthenticated requestors after one minute. 

Resolution



Perform the following local-change steps:
  1. Apply HFix-39823.
  2. Edit the prconfig.xml file and add the below entry to set value of the unauthenticated requestor timeout in minutes.
  3. Make this change for all nodes and restart the Pega Application server instances.
    <env name="timeout/requestor/shortlived" value="xx"/> (where xx - timeout in minutes)

Published July 23, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice