Question
NOVITATES Technology Solutions
IN
Last activity: 3 Oct 2025 17:28 EDT
Log Off Redirecting URL is forming with additional encrypted information
Hi Everyone,
I am facing an unexpected issue with Logoff functionality in our application (Pega version 8.7.6).
We are using Basic Authentication, and when a user logs off, the OOTB LogOff activity gets triggered. This in turn calls:
-
LogOff→pzSchemePRAuthLogOff→pzSchemePRAuthBasicLogOff
In Step 7 of this activity, the following function is executed:
@pzEncryptURLActionString(tools,"Global","pyActivity=Code-Security.EndSession&pzAuth=guest") + "&" + local.redTo
This is generating an unexpected URL with additional encrypted information, as shown below:
https://XXXXXXX/prweb/PRAuth/app/default/XXXX*/!STANDARDpzuiactionrrr=CXtpbn1jSG9jbWN5ZXZZOWh6ajlseDhEcW9Nd2J5dTlKc01lK0o5aEsvNXZPUmRqRkRBWmtyaTBvQTFRVGVxR0VCc1ZSZkllZnBuVkFkZXhPbWFRRytDSWlXclRjanVuMjZBQnllL2luZFRrMG9hSlBqTVI1eWhxWEg4MTRjbFhnbU5HeA%3D%3D*
With this URL, when we log off from the portal and try to log in again, the browser does not allow login. No related errors are captured in the logs or on screen.
As all the involved rules (prefixed with pz) are final, and no extension points.
Could you please help us with guidance or possible approaches to resolve this issue?
HCA Healthcare
US
@Aravind Reddy This isn’t a bug in the encrypt function; that long pzuiaction… chunk is Pega’s CSRF-safe URL token. The real issue is Basic Authentication: the browser caches the credentials and won’t reliably “log out,” so after LogOff→EndSession the next request reuses cached creds and you get stuck. Fix it by using a custom Basic Authentication service and set its Logout Activity to: 1) call Code-Security.EndSession, 2) explicitly delete Pega-RULES and Pega-SESSION cookies, 3) send a 401 with WWW-Authenticate to flush the browser’s Basic-Auth cache, then 4) HTTP-redirect to the unauthenticated servlet (for example /prweb) or a public logout page without any encrypted params. Also set no-cache headers on the login and logout responses. If you must keep PRAuth, disable any “redirect to previous URL” logic and always redirect to a clean landing page after logout. Finally, test in multiple browsers (they handle Basic-Auth cache differently) and consider moving off Basic Auth to OIDC/SAML, which gives clean, supported logout flows.