Setting cookies http-only and secure
Hi...Are the below DSS settings correct and will achieve desired result or I have to make changes in web.xml and redeploy ear?
prconfig/cookie/HttpOnly/default = true
prconfig/HTTP/SetSecureCookie/default = true
Accepted Solution
JPMC
US
After removing secure cookie setting, things started working fine. it seems this setting is applicable for servlet specification 3.0 while in pega 7.1.5 we are using servlet 2.5 specifications.
JPMC
US
Hi All....Even after creating these DSS setting and restarting server, Fiddler still not showing cookie as httponly. My Fiddle trace still says this(no httponly attribute is set):
Set-Cookie: Pega-RULES=H81C6814D9A5EEEE42E6D0169D088D9C1; path=/prweb
I researched on PDN and it says that in pega 7.1.x these settings are OOTB and should work, but in my case its still not working.
https://community.pega.com/support/support-articles/how-set-cookies-http-only
Pegasystems Inc.
US
I just confirmed with 7.1.8 (on tomcat), it is working. Open an SR if you still cannot make that work:
GET https://wsep02w7:39643/prweb/311tLSRH6FY_ckiZ-QSuUrIuLBGH9n58HxMtcaL4sm8%5B*/!STANDARD? HTTP/1.1
Host: wsep02w7:39643
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=3015E796979D80A62763D7168F7ED1A9; Pega-RULES={atn}e3ByfWI2Y1JNeGE1LzVwVC80ZGdZNTBJY2RjcDVpMnB3K3VPMXV0S3ZoeEtaQ0cvaTR3OUhBWlkyNDZuanYrVUtzcnBhTlJUZ0UxaHlYRDUKc2dzTTVaVFgydz09
HTTP/?.? 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: Pega-RULES={atn}e3ByfXVQZFU4VCtEbW1TQmx6bkgxY3hVdi9UZitaNHAyWHYwUWlsR2tMM1U5eGhVTmJ2TUdweGhUb1Q2Z0hjWnZIaXhBdnhpb2FZeVZRR3kKLzh5anVsU0o0QT09; Path=/prweb; Secure; HttpOnly
Cache-Control: max-age=0
Content-Encoding: gzip
Content-Type: text/html;charset=UTF-8
Content-Length: 2359
Date: Tue, 15 Sep 2015 17:41:39 GMT
JPMC
US
Kevin Zheng - Could you please let me know whether you tested using DSS settings or by changing web.xml and redeploying war file? I n my case its not working so I believe I have to raise SR.
JPMC
US
Hi Kevin Zheng...after restarting server multiple times setting seems working now and I can see both attributes are set properly through Fiddler as shown below:
JSESSIONID=7yk2V7hNB2KyynC8H3XC7p7nhPyYTv2H2g0xrsyN3KfgntZ91DLW!-103695969; path=/; HttpOnly
Pega-RULES={atn}e3ByfW1aMTR6WTFmTXhkSE4vR3N1cW9nU0M0UUtMbUYxSDFXUFlMcFk0R01HMWtqOUd3MnZJd3pRVUxiV0E3MUk2Rmx2UDR2RG1sRVFWUkwKQXp3QU1uQVV5QT09; path=/prweb; secure
but now when I enter id and password and click on submit on login page I am getting below error, it is not letting me in(FYI - cookies are enabled). Can you pls through some light on this issue?
| Status | fail |
| Message | An error has occurred which indicates that your browser does not support Cookies. You must enable Cookies in order to use this application |
| Operator ID | F579211 |
| Requestor ID | HAD8FDB6B61D9FFA7144F08C58C10A099 |
| Timestamp | Thu Sep 17 15:52:53 EDT 2015 |
| Engine Version | PegaRULES 7.10 ML5 (coreAssemblyCached_715_230_filtered) |
Accepted Solution
JPMC
US
After removing secure cookie setting, things started working fine. it seems this setting is applicable for servlet specification 3.0 while in pega 7.1.5 we are using servlet 2.5 specifications.
US
HTTP only is currently not working for me, PRPC 7.1.9 on JBOSS 6.4.4
We have the following DSS: