Posted: 28 Aug 2016 21:04 EDT Last activity: 6 Sep 2016 15:46 EDT
Ineffective Logout Function
Case Manager logout function is not clear cookies on the client side nor invalidate them on the server side. So, This could allow an attacker to continue accessing the web application if cookie values are intercepted, even if the user has logged out.
Please share your thougts.
***Updated by Moderator: Vidyaranjan. Removed user added #helpme and Ask the Expert tags. Apologies for confusion, shouldn't have been an end-user option***
I'm not sure what function you are talking about specifically. When I log out of my system with Fiddler running, I see that the JSESSIONID changes when I get to the login screen and the Pega-RULES cookie is set to none. Are you not observing that? Do you have something like SSO set up that may be changing the behavior? How about something like Siteminder or a proxy server that may be "helpfully" remembering your information for you?
We are using SSO for User authentication. Once user is logged off, Pega session is getting invalidated but pega cookies are not cleared in the browser. How can we identify the pega specific cookies in the browser. Please share your ideas.
Can someone please reply, How can we identify Pega rules cookies and clear them when the user logged off from the session. Please note we are using web sso authentication and pega cookies are not cleared when user logout from pega, so this can allow an attacker to continue accessing the application. Is there any OOTB config or code to identify and clear pega specific cookies from browser?
Posted: 4 years ago
Posted: 6 Sep 2016 15:12 EDT
Mike Townsend (MikeTownsend_GCS)
Director, Software Solutions Engineering