Setting cookies http-only and secure

Hi...Are the below DSS settings correct and will achieve desired result or I have to make changes in web.xml and redeploy ear?

prconfig/cookie/HttpOnly/default = true

prconfig/HTTP/SetSecureCookie/default  = true

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Correct Answer
September 17, 2015 - 8:32pm

After removing secure cookie setting, things started working fine. it seems this setting is applicable for servlet specification 3.0 while in pega 7.1.5 we are using servlet 2.5 specifications.


Keep up to date on this post and subscribe to comments

September 10, 2015 - 8:21pm

My current pega version is 7.1.5

September 11, 2015 - 7:14am
Response to DPSSingh


DSS setting should work. But server restart is required to make these work.

September 11, 2015 - 10:20am

can you elaborate what you mean by 'desired result'?

September 11, 2015 - 10:44am

you should look at the fiddler trace. HTTP headers should say http-only.

September 15, 2015 - 12:18pm
Response to VipinKumar38163630

Hi All....Even after creating these DSS setting and restarting server, Fiddler still not showing cookie as httponly. My Fiddle trace still says this(no httponly attribute is set):

Set-Cookie: Pega-RULES=H81C6814D9A5EEEE42E6D0169D088D9C1; path=/prweb

I researched on PDN and it says that in pega 7.1.x these settings are OOTB and should work, but in my case its still not working.

September 15, 2015 - 1:44pm
Response to DPSSingh

I just confirmed with 7.1.8 (on tomcat), it is working. Open an SR if you still cannot make that work:

GET https://wsep02w7:39643/prweb/311tLSRH6FY_ckiZ-QSuUrIuLBGH9n58HxMtcaL4sm8%5B*/!STANDARD? HTTP/1.1Host: wsep02w7:39643

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=3015E796979D80A62763D7168F7ED1A9; Pega-RULES={atn}e3ByfWI2Y1JNeGE1LzVwVC80ZGdZNTBJY2RjcDVpMnB3K3VPMXV0S3ZoeEtaQ0cvaTR3OUhBWlkyNDZuanYrVUtzcnBhTlJUZ0UxaHlYRDUKc2dzTTVaVFgydz09

HTTP/?.? 200 OKServer: Apache-Coyote/1.1

Set-Cookie: Pega-RULES={atn}e3ByfXVQZFU4VCtEbW1TQmx6bkgxY3hVdi9UZitaNHAyWHYwUWlsR2tMM1U5eGhVTmJ2TUdweGhUb1Q2Z0hjWnZIaXhBdnhpb2FZeVZRR3kKLzh5anVsU0o0QT09; Path=/prweb; Secure; HttpOnly

Cache-Control: max-age=0

Content-Encoding: gzip

Content-Type: text/html;charset=UTF-8

Content-Length: 2359

Date: Tue, 15 Sep 2015 17:41:39 GMT

September 15, 2015 - 2:11pm
Response to KevinZheng_GCS

Kevin Zheng  - Could you please let me know whether you tested using DSS settings or by changing web.xml and redeploying war file? I n my case its not working so I believe I have to raise SR.

September 15, 2015 - 2:39pm
Response to DPSSingh

Yes, it works both using DSS or prconfig.xml.

September 17, 2015 - 3:59pm
Response to KevinZheng_GCS

Hi Kevin Zheng...after restarting server multiple times setting seems working now and I can see both attributes are set properly through Fiddler as shown below:

JSESSIONID=7yk2V7hNB2KyynC8H3XC7p7nhPyYTv2H2g0xrsyN3KfgntZ91DLW!-103695969; path=/; HttpOnly

Pega-RULES={atn}e3ByfW1aMTR6WTFmTXhkSE4vR3N1cW9nU0M0UUtMbUYxSDFXUFlMcFk0R01HMWtqOUd3MnZJd3pRVUxiV0E3MUk2Rmx2UDR2RG1sRVFWUkwKQXp3QU1uQVV5QT09; path=/prweb; secure

but now when I enter id and password and click on submit on login page I am getting below error, it is not letting me in(FYI - cookies are enabled). Can you pls through some light on this issue?

Status fail
Message An error has occurred which indicates that your browser does not support Cookies. You must enable Cookies in order to use this application
Operator ID F579211
Requestor ID HAD8FDB6B61D9FFA7144F08C58C10A099
Timestamp Thu Sep 17 15:52:53 EDT 2015
Engine Version PegaRULES 7.10 ML5 (coreAssemblyCached_715_230_filtered)

September 17, 2015 - 4:04pm
Response to DPSSingh

Are you using https?

September 17, 2015 - 4:10pm
Response to KevinZheng_GCS

Not yet, its the next thing that I will be implementing for our application.

September 17, 2015 - 8:32pm
Response to KevinZheng_GCS

After removing secure cookie setting, things started working fine. it seems this setting is applicable for servlet specification 3.0 while in pega 7.1.5 we are using servlet 2.5 specifications.

February 10, 2016 - 9:23am
Response to KevinZheng_GCS

HTTP only is currently not working for me, PRPC 7.1.9 on JBOSS 6.4.4

We have the following DSS:

prconfig/cookie/httponly set to true

We do not have secure cookie settings applied.

Thoughts? I will open an SR for this as well.