Question

44
Views
KiranKumarS3582 Member since 2018 7 posts
Ministry of Education Saudi Arabia
Posted: 11 months ago
Last activity: 11 months ago

HTTP 400 Error : Pega session is no longer active

Users are complaining that they are getting HTTP 400 Error.

Steps to reproduce:

-Login to Pega through SSO link (Uses IDM AUthentication)

-With same user log in to another application (.net ) in same browser and in different tab, this application also authencates with IDM.

-Logout from .Net, identity server enforces to logout from all other applications which inludes Pega as well.

-Now try to perform any action in Pega it shows HTTP 400 Error, If you refresh browser then it takes you to the login screen specified in SMALAuth which is working fine.

Expectation is even when user try to perform any action in pega after logout from other application the user should be routed to login screen instead of getting HTTP 400 error.

Summary:

  1. Identity server enforces federated logout mechanism.
  2. As a result when logging out of a different application it sets the Pega-RULES cookie to null value.
  3. Because of the cookie being killed the Pega session no longer remains active.
  4. When the browser showing the Pega session is refreshed, it prompts for a new login screen for reauthentication.
  5. However, when any action , like section refresh , etc, form the just killed pega session is performed , HTTP 400 error is thrown.

The error is happening because the Pega session is no longer active. To avoid showing this HTTP error to end users you are aiming to :-

challenge the user for reauthentication whenever they click any action on the screen.

Did any one faced this issue and implemented changes?

Pega Platform Security SR Exists
Share this page LinkedIn