Question

To set the HTTPOnly and Secure attributes to "true" on the IAC-NonGateway cookie

In order to ensure IAC functionality in a secure environment, the following updates were made: HTTPOnly support has been enabled for prGatewaySESSIONID cookies; encryption and obfuscation have been set up for web nodes; added a check for login-config.xml to add default-users.properties and default-roles.properties to the other application-policy.

There is no current mechanism to accomplish this and setting HTTPOnly to true would render the cookie useless.  Does this cookie design was removed in PEGA 7.1.7?

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Comments

Keep up to date on this post and subscribe to comments

January 14, 2016 - 7:37am

Did you set the prconfig settings described here: https://pdn.pega.com/support-articles/how-set-cookies-http-only?