@Eranda Weerasingha as you have not had any response, I will provide some input.  

NOTE: The below answer came from a GenAI tool.  It is imperative you check the References used to come with this answer.

---------------------------------------------

Your approach to enabling secure cookies is on the right track, but there are some important nuances and additional security measures to consider for complete implementation.

Regarding Your Current Implementation Plan

The steps you outlined for enabling secure cookies are generally correct. However, there's a slight difference in the dynamic system setting usually referenced in Pega documentation:

• You mentioned setting http/secureCookies to true in DSS
• The standard Pega documentation typically refers to prconfig/HTTP/SetSecureCookie/default

Both settings can work to enable the secure flag, but the latter is more consistently referenced in official documentation. You might want to verify both settings in your environment.

Additional Security Considerations

Beyond your current plan, consider implementing these additional measures for comprehensive cookie security:

1. HttpOnly Flag:
   • Set prconfig/cookie/HttpOnly/default to true
   • This prevents client-side scripts (JavaScript) from accessing the cookie
   • Adds protection against cross-site scripting (XSS) attacks
2. SameSite Cookie Attribute:
   • Enable the SameSite cookie attribute in your CSRF settings
   • Select either 'Lax' or 'Strict' in the SameSite Options
   • This helps prevent cross-site request forgery (CSRF) attacks
   • Controls how cookies are sent with cross-origin requests
3. Session Management Policies:
   • Implement appropriate session timeouts
   • Configure automatic termination of inactive sessions
   • These measures help mitigate risks of session hijacking
4. Cookie Encryption:
   • By default, the session cookie is encrypted using a Pega-generated key
   • You can enhance security by configuring your own master key for cookie encryption
   • This is managed through the System Data Encryption settings

Verification Process

Your plan to verify the secure flag in Chrome DevTools is excellent. When checking, ensure that:

1. The cookie has both the Secure flag set
2. The HttpOnly flag is present (if implemented)
3. The SameSite attribute is correctly configured (if implemented)
4. The cookie is only being transmitted over HTTPS connections

Common Implementation Issues

Some common issues to watch for:

• Ensure your application server is compatible with these settings
• Some Tomcat versions (8.5.42 or below) may require specific DSS configurations
• If you're working in a load-balanced environment, verify settings are consistent across all nodes
• After implementation, thoroughly test authentication workflows to ensure functionality is preserved

References:

• Cookie usage in Pega software
• Understanding HTTP status codes for troubleshooting common issues
• Setting cookies http-only and secure