Facilitating Bookmarks by Using Zero as the Session ID

If the pages within an application are public and do not require authentication, you make it easier for application users to bookmark pages by using zero as the session ID.

Application pages that do not require authentication can be accessed with "f?p" URLs where the session ID is zero (that is, the single digit 0). When you request a page by either entering the URL in the browser or by clicking on a link having 0 for the session ID, the Application Express engine assigns a new session ID and sends a session cookie containing this new session ID to your browser. As you navigate through the application's public pages, you will see that all generated links to public pages will contain 0 for the session ID and all branches to public pages will have new URLs that use 0 as the visible session ID. Behind the scenes, however, the Application Express engine uses the session ID in the cookie as the actual session ID to locate session state.

This feature is useful when you want to hide the actual session ID. By hiding the session ID, you enable users to bookmark pages without needing to include the session ID in the bookmark link. As an added benefit, using zero as the session ID also keeps the actual session ID hidden from search engines.

In order to use zero as the session ID in your application, you have to generate at least one link having a zero session ID. The use of this first link starts the zero session ID mechanism. One approach would be to provide a single static link with a zero session ID on the application home page. For example, where you might normally code the link to page 2 as f?p=&APP_ID.:2:&APP_SESSION, you would code f?p=&APP_ID.:2:0.

About APEX_UTIL.PREPARE_URL

Oracle provides a utility function to enable developers to use PL/SQL to generate anchors to application pages using the f?p syntax. Use APEX_UTIL.PREPARE_URL whenever PL/SQL in the application produces f?p anchors that might require a zero session ID. To learn more, see "PREPARE_URL" in Oracle Application Express API Reference.

How the Zero Session ID Feature Works

The zero session ID feature provides support for pages having anchors in the HTML (such as in templates or HTML regions). When the Application Express engine encounters f?p anchors it recognizes them and replaces the session ID with zero, if certain criteria are met.

The Application Express engine replaces the session ID component with zero when it detects one of the following patterns:

&APP_ID.
The numeric ID of the current application
One of the following patterns:
- the all-uppercase or all-lowercase alphanumeric alias of the current application followed by a colon followed by the numeric ID of a public page in the current application
- the all-uppercase or all-lowercase alphanumeric alias of a public page in the current application followed by a colon followed by &APP_SESSION. or &SESSION.

Examples of patterns in HTML that are candidates for zero-session ID replacement include:

Page 10 is a public page:
```
"f?p=&APP_ID.:10:&APP_SESSION. 
```
Page 10 is a public page:
```
"f?p=100:10:&APP_SESSION.
```
home is an alias for a public page:
```
"f?p=&APP_ID.:home:&APP_SESSION. 
```
HOME is an alias for a public page:
```
"f?p=&APP_ID.:HOME:&APP_SESSION.
```
PEOPLE is an application alias and HOME is an alias for a public page:
```
"f?p=PEOPLE:HOME:&APP_SESSION
```

In these examples, the pattern &APP_SESSION. (or &SESSION., not shown) is replaced with zero if the application is operating in zero-session ID mode and the user is a public user. Note that the user is considered a public user if the following PL/SQL expression is true:

:app_user in ('nobody','HTMLDB_PUBLIC_USER','PUBLIC_USER','ANONYMOUS','APEX_PUBLIC_USER')"