Discussion

How to set HttpOnly for Pega-RULES cookie?

Hi, 

 

I have modified web.xml with 

    <session-config>
        <session-timeout>60</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>  

but it didn't work at all.

I changed Context.xml with <Context useHttpOnly="true">. But this also didn't work.

Then I modified created a filter class to set HttpOnly for all the cookies that any servlet has received in its request and added this filter within prweb and redeployed it followed by a restart. This time it worked for other cookies, but not for Pega-RULES cookie.

 

Whats so special about this cookie? What does it do? How do I set HttpOnly for this Pega-RULES cookie?

 

 

Any help is highly appreciated. Thanks in advance.

 

Regards,

AB

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Comments

Keep up to date on this post and subscribe to comments

February 17, 2014 - 4:08am

Hi Experts,

 

This is one of the big security concerns that we have in our project. So, I would really appreciate if somebody can kindly help me out on this.

 

AB

Pega
December 16, 2014 - 3:04pm

In case anyone else runs across this and has the same issue, HFIX-9206 provides the ability to set cookies to HTTPOnly for PRPC 6.3 SP1.  Once you have it installed, you can set <env name="cookie/HttpOnly" value="true" /> in prconfig.xml and cookies will be HTTPOnly.  This will prevent integration with Microsoft Office etc.

 

PRPC 7.1 has this capability built in - just add <env name="cookie/HttpOnly" value="true" /> to prconfig.

January 15, 2015 - 9:51am

In websphere if you go the jvm additionl properties you will have option to configurge httponly = true.

 

But problem is  your excel integration dont work.

 

Regards,

Chandrasekhar Bhagath.