Question
Pegasystems Inc.
JP
Last activity: 21 Nov 2015 7:22 EST
How Process Commander uses HTTP cookies
Can anybody tell me if the contents of the PDN article:https://pdn.pega.com/system-operations/how-process-commander-uses-http-cookies is still valid with Pega 7.1.9 ?
The article is quite old and Pega7 is not mentioned in the supported product name filed.
Pegasystems Inc.
US
The article looks to be fine at the high level. To answer your question: yes prpc uses cookies. Here is an example for 7.1.8 with secure cookie and httponly set to true (helpful to prevent the cookie from being tampered):
POST https://wsep02w7:39643/prweb/pbdorj4V2aBoI4ScEONLsEaxdEWiqDby*/!STANDARD HTTP/1.1
Host: wsep02w7:39643
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://wsep02w7:39643/prweb/pbdorj4V2aBoI4ScEONLsEaxdEWiqDby*/!STANDARD?pzPostData=2060441368
Content-Length: 39
Cookie: IAC-NonGateway=%20ace3a1cfe3d840ba36a99d68c13009de; JSESSIONID=39986F2111533A270D0A7A4CBDB0BE86; Pega-RULES=H7CC5BB4B357E3A458CC1BEF8FDF9C913
The article looks to be fine at the high level. To answer your question: yes prpc uses cookies. Here is an example for 7.1.8 with secure cookie and httponly set to true (helpful to prevent the cookie from being tampered):
POST https://wsep02w7:39643/prweb/pbdorj4V2aBoI4ScEONLsEaxdEWiqDby*/!STANDARD HTTP/1.1
Host: wsep02w7:39643
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://wsep02w7:39643/prweb/pbdorj4V2aBoI4ScEONLsEaxdEWiqDby*/!STANDARD?pzPostData=2060441368
Content-Length: 39
Cookie: IAC-NonGateway=%20ace3a1cfe3d840ba36a99d68c13009de; JSESSIONID=39986F2111533A270D0A7A4CBDB0BE86; Pega-RULES=H7CC5BB4B357E3A458CC1BEF8FDF9C913
HTTP/?.? 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: Pega-RULES=H7CC5BB4B357E3A458CC1BEF8FDF9C913; Path=/prweb; Secure; HttpOnly
IAC-NonGateway: b616c531fc3a3c0c7adc35f6854fa45e
pxHandler: IAC
Cache-Control: max-age=0
Content-Type: text/html;charset=UTF-8
Content-Length: 4
Date: Thu, 19 Nov 2015 13:27:40 GMT
Pegasystems Inc.
JP
Hi Kevin,
Thanks for your comments.
Is it true that if the request is being sent via HTTPS protocol, the cookie will be treated as secure cookie even if the "Secure" attribute is NOT set in the response header?
Below is the HTTP request/response header from the pega cloud instance that is being used by my client for evaluation purpose and I found the Secure attribute is missing in the response header.
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8,ja;q=0.6,zh-CN;q=0.4,zh;q=0.2,ko;q=0.2
Connection:keep-alive
Content-Length:39
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=528DDE613C69C651BAC5FEF1D34E213D.node1; Pega-RULES=H66A417F73AFBBF6322A2A03DA341303B
Host:foo.pegacloud.com
Origin:https://foo.pegacloud.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Hi Kevin,
Thanks for your comments.
Is it true that if the request is being sent via HTTPS protocol, the cookie will be treated as secure cookie even if the "Secure" attribute is NOT set in the response header?
Below is the HTTP request/response header from the pega cloud instance that is being used by my client for evaluation purpose and I found the Secure attribute is missing in the response header.
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8,ja;q=0.6,zh-CN;q=0.4,zh;q=0.2,ko;q=0.2
Connection:keep-alive
Content-Length:39
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=528DDE613C69C651BAC5FEF1D34E213D.node1; Pega-RULES=H66A417F73AFBBF6322A2A03DA341303B
Host:foo.pegacloud.com
Origin:https://foo.pegacloud.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
X-Requested-With:XMLHttpRequest
HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/html;charset=UTF-8
Date: Fri, 20 Nov 2015 04:03:47 GMT
IAC-NonGateway: d741c7fa2da2ccda05613d095b5990c1
pxHandler: IAC
Server: Apache-Coyote/1.1
Set-Cookie: Pega-RULES=H66A417F73AFBBF6322A2A03DA341303B; Version=1; Comment="PegaRULES session tracking"; Path=/prweb
Content-Length: 4
Connection: keep-alive
Pegasystems Inc.
US
https is the necessary condition for a secure cookie, but you also need to set the prconfig setting in PRP (the first one is to enable httponly cookie, the second one is to enable secure cookie).
| <env name="cookie/HttpOnly" value="true"/> | |
| <env name="http/setsecurecookie" value="true"/> |