Skip to main content

Resolved Issues

View the resolved issues for a specific Platform release.

Go to download resolved issues by patch release.

Browse release notes for a selected Pega Version.

NOTE: Enter just the Case ID number (SR or INC) in order to find the associated Support Request.

Please update your bookmarks. This site will be discontinued in Dec 2024.

Pega Platform Resolved Issues for 8.1 and newer are now available on the Support Center.

SR-D79479 · Issue 549779

SameSite cookie setting updated for pre-authentication

Resolved in Pega Version 8.5

In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.

SR-D63727 · Issue 531725

Authorization header base 64 format error recategorized as debug logging

Resolved in Pega Version 8.5

Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.

SR-D64523 · Issue 545671

Stream Registration deprecated and replaced

Resolved in Pega Version 8.5

Previously, Stream Registration, which was added as an extra layer of protection during the display of stream rules, automatically registered any streams being used in the context and checked this registry during reloadSection/reloadHarness calls to prevent Broken Access Control attacks. However, only an alert was thrown and no further action was being taken on it. With platform added support for URL Tampering, Stream Registration is no longer required and has been deprecated. The URL Tampering function has the capabilities to register for auto/non-auto rules and configure whether to display warning or reject the request for all the activities, and not just the stream rules. Note that URL Tampering will do registration/validation only when security/rejectTamperedRequests is explicitly set to true.

SR-D52604 · Issue 548061

Stream Registration deprecated and replaced

Resolved in Pega Version 8.5

Previously, Stream Registration, which was added as an extra layer of protection during the display of stream rules, automatically registered any streams being used in the context and checked this registry during reloadSection/reloadHarness calls to prevent Broken Access Control attacks. However, only an alert was thrown and no further action was being taken on it. With platform added support for URL Tampering, Stream Registration is no longer required and has been deprecated. The URL Tampering function has the capabilities to register for auto/non-auto rules and configure whether to display warning or reject the request for all the activities, and not just the stream rules. Note that URL Tampering will do registration/validation only when security/rejectTamperedRequests is explicitly set to true.

SR-D76409 · Issue 540301

Cleanup added for staging directory

Resolved in Pega Version 8.5

Temporary files from imports and exports (from DevOps) were filling up the staging area disk space because there was no automatic process for cleaning up these local files. This has been resolved by adding an enhancement that will clear the directory on Engine Startup and any time ParUtils.setStagingDirectory gets called to initialize the staging directory.

SR-D78045 · Issue 539893

Cleanup added for staging directory

Resolved in Pega Version 8.5

Temporary files from imports and exports (from DevOps) were filling up the staging area disk space because there was no automatic process for cleaning up these local files. This has been resolved by adding an enhancement that will clear the directory on Engine Startup and any time ParUtils.setStagingDirectory gets called to initialize the staging directory.

SR-D90524 · Issue 549047

SameSite cookie setting added for Mashup support in Google Chrome v80+

Resolved in Pega Version 8.5

The Google Chrome browser version 80 and above now treats SameSite with a blank value as "Lax" by default, causing mashup scenarios to break. In order to compensate for this change, support has been added for setting SameSite=None in Cookie Settings; this value automatically includes the “secure” cookie flag, which enforces HTTPS for the Pega server and mashup. For mashups to work, SameSite should be set as None. Create a Dynamic system setting in the Pega-Engine RuleSet with the name “security/csrf/samesitecookieattributevalue” and the value "None" and restart the server. (The SameSite value "None" works only in secure HTTPS connections.) Note: The SameSite cookie may be set to None/Lax/Strict, based on the requirement. For cookie requirements other than mashup, it should be set as either Strict or Lax, depending upon your application.

SR-D79178 · Issue 543313

SameSite cookie setting added for Mashup support in Google Chrome v80+

Resolved in Pega Version 8.5

The Google Chrome browser version 80 and above now treats SameSite with a blank value as "Lax" by default, causing mashup scenarios to break. In order to compensate for this change, support has been added for setting SameSite=None in Cookie Settings; this value automatically includes the “secure” cookie flag, which enforces HTTPS for the Pega server and mashup. For mashups to work, SameSite should be set as None. Create a Dynamic system setting in the Pega-Engine RuleSet with the name “security/csrf/samesitecookieattributevalue” and the value "None" and restart the server. (The SameSite value "None" works only in secure HTTPS connections.) Note: The SameSite cookie may be set to None/Lax/Strict, based on the requirement. For cookie requirements other than mashup, it should be set as either Strict or Lax, depending upon your application.

SR-D48433 · Issue 529856

Exception handling added for Redirect URL fetched from GRS

Resolved in Pega Version 8.5

When the application definition under “integration and security" tab was configured to use "Store in web storage provider" to allow choosing the storage name and the authentication profile, configuring the authentication profile to use an OpenID connect provider with the pyEndpointURL property given as a global resource setting such as (=D_SharepointDetails.url) was not working as expected. Clicking browse in the application definition sent the request to the OpenID connect provider and was returned with the error "The reference =D_SharepointDetails.url is not valid. Reason: Page name (D_SharepointDetails) from indirect reference was not found." This was traced to the Redirect URL (fetched from GRS) throwing an unhandled exception, and has been resolved.

SR-D72636 · Issue 536089

Added handling for Authorization Server login loop

Resolved in Pega Version 8.5

When the Authorization server returned an error, it was redirecting back with error, error_description, and parameters. The system then tried to start the login process again, the same error parameters were returned again, and it continued to loop this way. To resolve this issue, handling has been added for this error scenario from the Authorization Server.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us