Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Venu Palakondu (VenuP634)
CBA

CBA
AU
VenuP634 Member since 2016 3 posts
CBA
Posted: Aug 28, 2016
Last activity: Sep 6, 2016
Posted: 28 Aug 2016 21:04 EDT
Last activity: 6 Sep 2016 15:46 EDT
Closed

Ineffective Logout Function

Hi,

Case Manager logout function is not clear cookies on the client side nor invalidate them on the server side. So, This could allow an attacker to continue accessing the web application if cookie values are intercepted, even if the user has logged out.

Please share your thougts.

Thanks,

***Updated by Moderator: Vidyaranjan. Removed user added #helpme and Ask the Expert tags. Apologies for confusion, shouldn't have been an end-user option***

To see attachments, please log in.
Case Management

Posted: 8 years ago
Posted: 29 Aug 2016 16:35 EDT
Mike Townsend (MikeTownsend_GCS) Director, Technical Support, Customer Service
Pegasystems Inc.
US

Hello Venu,

I'm not sure what function you are talking about specifically. When I log out of my system with Fiddler running, I see that the JSESSIONID changes when I get to the login screen and the Pega-RULES cookie is set to none. Are you not observing that? Do you have something like SSO set up that may be changing the behavior? How about something like Siteminder or a proxy server that may be "helpfully" remembering your information for you?

Or am I missunderstanding your comment?

Thanks,

Mike

To see attachments, please log in.
Posted: 8 years ago
Posted: 31 Aug 2016 20:46 EDT
Venu Palakondu (VenuP634)
CBA

CBA
AU

Hi Mike,

Thanks for responding.

We are using SSO for User authentication. Once user is logged off, Pega session is getting invalidated but pega cookies are not cleared in the browser. How can we identify the pega specific cookies in the browser. Please share your ideas.

Thanks,

To see attachments, please log in.
Posted: 8 years ago
Posted: 6 Sep 2016 3:33 EDT
Venu Palakondu (VenuP634)
CBA

CBA
AU

Hi,

Can someone please reply, How can we identify Pega rules cookies and clear them when the user logged off from the session. Please note we are using web sso authentication and pega cookies are not cleared when user logout from pega, so this can allow an attacker to continue accessing the application. Is there any OOTB config or code to identify and clear pega specific cookies from browser?

Thanks,

To see attachments, please log in.
Posted: 8 years ago
Posted: 6 Sep 2016 15:12 EDT
Mike Townsend (MikeTownsend_GCS) Director, Technical Support, Customer Service
Pegasystems Inc.
US

Venu,

I don't know the answer off the top of my head. Can you run an HTTP debugger, like Fiddler, and see what cookies are being passed? Likewise, if you take a look at the code that runs when you hit the logoff button from a direct session, something in there cleans up the cookie. I believe, at least in older versions of the product, there was a few lines of JavaScript that did that and they resided on the screen that displayed to confirm you were successfully logged out.

Thanks,

Mike

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice