Understanding Items of Type Password

Password items do not emit the text entered to the Web browser screen. When creating password items, Oracle recommends using password attributes that do not save session state. This prevents the password from being saved in the database in the session state tables.

Configurable password item type attributes include:

• Value Required - If set to Yes and the page item is visible, Application Express will automatically perform a NOT NULL validation when the page is submitted. If set to No, no validation a NULL value is accepted.

• Submit when Enter pressed - If set to Yes, when the user presses the Enter key in the field the page is submitted.

• Does not save state - If set to Yes, the password is not saved into session state. For security reasons you should always set this attribute to Yes. If you set it to No, consider to set the attribute Store value encrypted in session state to Yes.

• Authorization Scheme - Optionally select an authorization scheme which must evaluate to TRUE in order for this component to be rendered or otherwise processed.

• Session State Protection - You can select the level of session state protection by setting this attribute to Unrestricted or Restricted.

  • Unrestricted means the item may be set by passing the item in a URL or in a form. No checksum is required in the URL.

  • Restricted means the item may not be set from a browser. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is applicable only to items that cannot be used as data entry items and is always observed, even if Session State Protection is disabled.

• Store value encrypted in session state - Session state that is sensitive can be encrypted when stored in Application Express session state management tables. To maintain session state encrypted for this item set the value to Yes. To learn more, see "About Session State and Security".