Cookie usage in Pega software
Learn about the different types of cookies that Pega Platform
and associated software can apply to applications. The cookies can change at any time to
reflect changes to the cookies that Pega Platform uses. Use this
information to inform your users about cookies for privacy and disclosure
reasons. Cookies are small data files that are stored on your computer or mobile
device by the websites that you visit. They are a standard feature of websites that
contain basic information, such as user preferences. Cookies have multiple uses, such as tracking visitor activity, improving the quality
of content and website experience, remembering browser preferences, and displaying
essential website features. As a Pega developer, if you build an application in
Pega Platform that requires cookies, you assume the
responsibility for disclosure and privacy to your customers. Include a clear notice
about cookies in your browsing interface. The cookie notice must: The following tables provide a reference guide to the cookies that Pega uses, and are categorized by product and
capability: Configuring Pega Platform for
Constellation When you select Support React-based
UI, Pega Platform generates a
new cookie, Pega-AAT, to speed up stateless REST calls. For more information, see Configuring Pega Platform for Cosmos React UI. Setting up the Constellation service in Pega Platform In Pega Cloud, the Constellation engine
operates as a regional service that uses cross-domain URLs.
Safari blocks cross-domain cookies by default. If you do not
enable cross-domain cookies, the interface cannot display
images in the UI. For more information, see Implementing Cosmos React UI in Pega Platform. Using PCore and PConnect Public APIs The For more information, see setBehaviorOverride(overrideKey, overrideValue). Load Balancer You can configure session affinity so that all
requests from one user are handled by the same
Pega Platform server. Pega Platform supports cookie-based
affinity for slow drain quiesce. For more information, see Configuring session affinity for slow drain. Description Browser-based identity matching The Container REST service uses Browser-based identity
matching when the service is deployed on a company web site
as an unauthenticated service that runs in a customer's
browser. In this case, the service uses browser cookies and
the customer ID to identify an individual and present
personalized content in the real-time container. For more information, see Identity management for the Container REST service. Customer Profile Designer The Customer Profile Designer accelerator component is
publicly available for download on Pega Marketplace. This component is meant for use
by industry-specific customers of Pega Customer Decision Hub. The service accepts a JSON value for the following fields: For more information, see Customer Profile Designer accelerator component. Customer Profile Viewer Use the Customer Profile Viewer to examine specific profile
and behavioral data, including previous Next-Best-Action decisions and interaction
history. You can use an ExternalID parameter to search for a customer in the Customer
Profile Viewer. This is the unique cookie or external
identity identifier used for anonymous customers. For more information, see Compliance inquiries and the Customer Profile Viewer. Data Management Platforms (DMPs) Data Management Platforms (DMPs) provide a mechanism to update cookie-based audiences outside of
a client web session. After a DMP establishes a cookie for
an individual who visits an advertiser's website, you make
subsequent S2S updates through the DMP. You can deliver
these updates to a separate ad platform responsible for
selecting and bidding on ad inventory, such as a Demand Side
Platform (DSP). For more
information, see Enable Next-Best-Action targeting on DMP-based destinations. Destination-specific interactions Media strategies uses the CapturePaidResponse service to drive downstream
learning based on paid interactions, such as paid clicks.
The service captures and records interactions from paid
channels and uses them to improve the accuracy of adaptive
models and drive decisioning. This intelligent learning
allows a media strategy to make destination-specific
audience decisions for the same action. The service supports the POST HTTP method. The
website to which an individual is redirected when they click
the URL must contain JavaScript that fetches parameters from
the click URL and passes them to the CapturePaidResponse
service. For the request, the service expects a JSON Object with the CustomerID
attribute. This attribute identifies individuals based on
information captured during their interactions with the
destination. For individuals yet to be identified, the
service stores a unique ID in a browser cookie. After the
service identifies an individual as a customer, it stores
their encrypted customer ID. For more information, see Reducing wasted ad spend
based on destination-specific interaction
results. Launching a Microsite You must enable browser cookies to view a Microsite. For
more information, see Launching a microsite. Microsites: Identifying customers with identity
matching Identity matching is a feature that allows a Pega Customer Decision Hub application to identify
individuals across their addressable devices. This feature
also enables a seamless transition between an anonymous
individual and a recognized customer. When an individual is anonymous (for example, not logged in), the application captures relevant
information during their various interactions. The
application uses this information to determine the Next-Best-Action for this individual. When
the individual authenticates themselves as a customer, their
anonymous interaction data becomes merged with their
previous interaction history. This allows the application to
maintain a complete view of the customer journey. Identity matching utilizes browser cookies to store identifying information. For individuals yet
to be identified, it stores a unique ID in the cookie. Once
an individual has been identified as a customer, it stores
their (encrypted) customer ID. During the individual's
interactions with the application, additional data is
collected and associated with the appropriate identifier
(customer ID or unique ID). For more information, see Identifying customers with identity matching. Microsites: Identifying customers who respond to a
microsite Identity matching allows marketers to track unidentified
customers and their interactions with Microsites. When an
anonymous individual visits a Microsite, the system
identifies the individual with a unique identifier. Later,
when customer information is available to the Microsite, the
system associates the anonymous user's interactions with the
customer. For example, if the browser cookie contains the unique ID but
the Microsite is aware of the customer, this stage
associates the unique ID and the customer ID. Additionally,
the cookie is updated with customer information. For more information, see Identifying customers who respond to a microsite. Paid Media Manager: People-based paid destinations Paid Media Manager uses the people-based matching APIs for
Facebook Ads, Google Ads, and LinkedIn Ads to synchronize paid
audiences and target individuals based on their personally
identifiable information (PII). After the connection is established, Pega Customer Decision Hub sends a one-way hashed PII directly
to the ad platforms through a secure connection. If the
one-way hashed PII matches what the ad platform knows about
the individual, the platform updates the audience and
discards the hashed PII values. The paid destination cannot
reverse the one-way hash to expose PII values. In this way,
the individuals' PII is not exposed, and the one-way hash is
only used to update the audience membership on the paid
destination. For more
information, see Learning about paid destinations. Paid Media Manager: Web-based and DMP connections to paid destinations Paid Media Manager supports pixel-based APIs provided by
advertising technology platforms, including demand-side
platforms (DSPs), data management platforms (DMPs), and
advertising networks. Instead of people-based APIs, these
platforms generally rely on third-party cookies to build
anonymous profiles and target individuals with ads. For more
information, see Learning about paid destinations. Setting up Web Messaging When configuring security settings, you can add one or more cookies that allow passing
information between your website and the Pega Customer Service implementation. For more
information, see Setting up Web Messaging. HTTP connect rules Request headers must contain a PegaRULES cookie for requests.
With cross-origin resource sharing and Pega Web Mashups, if the PegaRULES cookie is not sent in a request, the
SameSite cookie set to the value
lax in Chrome causes
subsequent requests to not have the cookie. You must set the
SameSite cookie to none. The Set-Cookie response header is not included in an HTTP
response when the following conditions exist: The Set-Cookie response header must specify the following
attributes: For more information, see Understanding HTTP status codes for troubleshooting common issues. Static content requests Perform the following steps to verify that the PegaRULES
cookie is not sent to the Pega server along with the static content request: For more information, see Static content troubleshooting FAQs. Cross-site-request Forgery Settings When configuring cross-site request forgery settings, you can
prevent the browser from submitting the PegaRULES cookie in
a request from a non-originating site by completing the
following steps: For more information, see Enabling and configuring Cross-Site Request Forgery settings. Encryption: Protection of other sensitive data Pega creates and stores
cookies in client browsers to assist with authenticating
client requests. The cookie does not contain any
operator-specific or case-specific data, only a randomly
generated session ID. By default, this cookie is also
encrypted using a Pega-generated key. You can replace this key by configuring
BYOK for the master key that is used to encrypt cookies on
the Data Encryption landing page, in the System
data encryption section. For more information, see Encryption. Encrypting application data System data encryption allows you to tell Pega Platform what to use or who is
providing the master key for system data encryption. The
only data that is encrypted is the session cookie. For more information, Encrypting application data. Pega Process Fabric Hub security The dynamic system setting, prconfig/HTTP/SetSecureCookie/default, prevents the exposure
of the session ID cookie and also prevents session hijacking
as the browser sends cookies only across SSL protocols. For more information, see Pega Process Fabric Hub security dynamic system settings. Service REST APIs When the session state in a service package is set to Stateful, the
service returns a cookie in the response with the Set-Cookie
HTTP header. The cookie contains the Requestor ID of the
requestor that processed the first request, with the prefix
PegaRULES. For another request
to access the same session data, the external application must
include the PegaRULES cookie in the header of that request. For more information, see More about Service REST rules. Authenticating web requests Pega Web Mashup does not work if third-party cookies are blocked when the mashup is
hosted in a third-party domain (domain other than the host
domain). For more information, see
Troubleshooting Pega mashup issues caused by browsers blocking third-party cookies. Creating a mashup When creating a mashup, ensure that you disable SameSite cookies. For more information, see Creating a mashup. Multiple mashups To avoid authentication issues, never load mashups
simultaneously. When you load the first mashup, the server
sends a pre-authentication cookie parameter to authenticate
the requestor. When you load the second mashup, the server
registers the second request, which has a pre-authentication
cookie, even though the server validated the requestor for
the first mashup. For more information, see Troubleshooting Pega
mashup issues caused by browsers blocking third-party
cookies. Pega Customer Service When using Pega Customer Service, you must allow cookies in your browser settings.What are cookies?
When a Pega developer sets cookies
Cookies used by Pega software
Constellation
Feature Description dynamicSetCookie
override flag has a
default value of true. When set to true, the application
establishes a cookie for the application that assists with
access to the static content server. When set to false, the
runtime does not attempt to set the application’s C11n
cookie dynamically. This can be useful when you want to use
or make use of the cookies of the application that contains
the mashup.Pega Cloud – High Availability
Feature Description When you communicate privacy and disclosure policies to your
users, note the following guidance about Pega Cloud cookie usage that support high
availability in client environments: Pega Customer Decision Hub
Feature Pega Customer Service – Digital Messaging
Feature Description Pega Platform – HTTP Requests
Feature Description Pega Platform – Security
Feature Description Pega Platform – Service REST Rules
Feature Description Pega Web Mashup
Feature Description
Previous topic Security foundations Next topic Security Checklist