Previous
Previous 		 Next
Next

Understanding Session State Protection

Session State Protection is a built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

Enabling Session State Protection is a two-step process. First, you enable the feature. Second, you set page and item security attributes.

Topics:

How Session State Protection Works

When enabled, Session State Protection uses the Page Access Protection attributes and the Session State Protection item attributes with checksums positioned in f?p= URLs to prevent URL tampering and unauthorized access to and alteration of session state. When Session State Protection is disabled, the page and item attributes related to session state protection are ignored and checksums are not included checksums in generated f?p= URLs.

Enabling Session State Protection

You can enable session state protection from either the Edit Security Attributes page or the Session State Protection page.

Enabling Session State Protection is a two-step process. First, you enable the feature. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.

Topics:

Enabling Session State Protection from Edit Security Attributes

To enable Session State Protection from the Edit Security Attributes page:

  1. On the Workspace home page, click the Application Builder icon.

  2. Select an application.

  3. Click the Shared Components icon.

  4. Under Security, click Security Attributes.

  5. Scroll down to Session State Protection and select Enabled from the Session State Protection list.

  6. To configure session Session State Protection, click Manage Session State Protection.

    The Session State Projection page appears.

  7. To enable, disable, or configure Session State Protection using a wizard, click Set Protection.

  8. Otherwise, navigate to the appropriate page or item attributes page and configure the Security attributes.


Tip:

To disable Session State Protection, perform the same steps again, but select Disabled instead of Enabled. Disabling Session State Protection will not change existing security attribute settings, but those attributes will be ignored at run time.

About the Expire Bookmarks Button

Enabling Session State Protection affects whether bookmarked links to the current application will work. Consider the following rules:

  1. Bookmarked links created after Session State Protection is enabled will work if the bookmarked link contains a checksum.

  2. Bookmarked links created before Session State Protection is enabled will not work if the bookmarked link contains a checksum.

  3. Bookmarks that do not contain checksums or contain unnecessary checksums will not be affected by Session State Protection.

During page rendering, the Application Express engine uses a hidden application attribute (a checksum salt) during computation and to verify checksums included in f?p URLs. When you enable Session State Protection, the Application Express engine includes checksums. You can reset the checksum salt attribute by clicking Expire Bookmarks on the Edit Security Attributes page. Note that if you click Expire Bookmarks, bookmarked URLs used to access your application that contain previously generated checksums will fail.

Enabling Session State Protection from Session State Protection

To enable Session State Protection:

  1. Navigate to the Shared Components page:

    1. On the Workspace home page, click the Application Builder icon.

    2. Select an application.

    3. Click Shared Components.

    4. Under Security, select Session State Protection.

    The Session State Protection page appears. Note the current Session State Protection status (Enabled or Disabled) displays at the top of the page.

  2. Click the Set Protection button.

    The Session State Protection wizard appears.

  3. Under Select Action, select Enable and click Next.

    Next, determine whether to set security attributes for pages and items.

  4. Select Enable and click Next.

  5. Click Enable Session State Protection.


Tip:

To disable Session State Protection, perform the same steps, but select Disable instead of Enable. Disabling Session State Protection will not change existing security attribute settings, but those attributes will be ignored at run time.

Configuring Session State Protection

Once you have enabled Session State Protection, the next step is to configure security attributes. You can configure security attributes in two ways:

Topics:


Tip:

Before you can configure security attributes, you must first enable Session State Protection. See "Enabling Session State Protection".

Reviewing Existing Session State Protection Settings

You can review a summary of Session State Protection settings for pages, items, and application items on the first page of the Session State Protection wizard.

To view summaries of existing Session State Protection settings:

  1. Navigate to the Session State Protection page:

    1. On the Workspace home page, click the Application Builder icon.

    2. Select an application.

    3. Click Shared Components.

    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click Set Protection.

  3. Expand the following reports at the bottom of the page:

Configuring Session State Protection Using a Wizard

When you configure Session State Protection using a wizard, you set a value for specific attribute categories. Those selections are then applied to all pages and items within the application.

To configure Session State Protection using a wizard:

  1. Navigate to the Session State Protection page:

    1. On the Workspace home page, click the Application Builder icon.

    2. Select an application.

    3. Click Shared Components.

    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click Set Protection.

    The Session State Protection wizard appears.

  3. Under Select Action, select Configure and click Next.

  4. For Page Access Protection, select one of the following:

    • Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).

    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.

    • No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.

    • No URL Access - The page may not be accessed using a URL; however, the page may be the target of a Branch to Page branch type, which does not do a URL redirect.

  5. For Application Item Protection, select one of the following:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is also provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

    • Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled.

      Use this attribute for application items or for page items with any of these Display As types:

      • Display as Text (escape special characters, does not save state)

      • Display as Text (does not save state)

      • Display as Text (based on LOV, does not save state)

      • Display as Text (based on PLSQL, does not save state)

      • Text Field (Disabled, does not save state)

      • Stop and Start HTML Table (Displays label only)

  6. For Page Data Entry Item Protection, select one of the following:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  7. For Page Display-Only Item Protection, select one of the following:

    • Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled.

      This attribute may be used with any of these Display As types:

      • Display as Text (escape special characters, does not save state)

      • Display as Text (does not save state)

      • Display as Text (based on LOV, does not save state)

      • Display as Text (based on PLSQL, does not save state)

      • Text Field (Disabled, does not save state)

      • Stop and Start HTML Table (Displays label only)

  8. Click Next.

  9. Click Finish.

Configuring Session State Protection for Pages

To configure Session State Protection for Pages:

  1. Navigate to the Session State Protection page:

    1. On the Workspace home page, click the Application Builder icon.

    2. Select an application.

    3. Click Shared Components.

    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click the Page icon.

  3. You can customize the appearance the page using the Search bar at the top of the page. Available controls include:

    • Search icon - Resembles a magnifying glass. Click this icon to narrow your search to only specific columns. To search all columns, select All Columns.

    • Text area - Enter case insensitive search criteria (wild card characters are implied) and then click Go.

    • Go button - Executes a search or applies a filter.

    • View Chart. Use this control to view information as a chart.

    • Actions menu - Displays the Actions menu. Use this menu to customize this interactive report. See "Using the Actions Menu".

  4. Select a page number.

    The Set Page and Item Protection page appears. The following information displays at the top of the page:

    • Application ID and name

    • Session State Protection status (Enabled or Disabled)

    • Page Number

    • Page name

  5. For Page Access Protection, select one of the following:

    • Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).

    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.

    • No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.

    • No URL Access - The page may not be accessed using a URL; however, the page may be the target of a Branch to Page branch type, which does not do a URL redirect.

  6. For Item Types, select Data Entry Items or Display-only Items.

    Data Entry items are items that can be altered using forms and include hidden items. Display-Only items are rendered only and are not submitted with the form.

  7. If you select Data Entry Items, select a session state protection level for each item:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  8. If you select Display-only Item, select a session state protection level for each item:

    • Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled. This attribute may be used with any of these Display As types:

      • Display as Text (escape special characters, does not save state)

      • Display as Text (does not save state)

      • Display as Text (based on LOV, does not save state)

      • Display as Text (based on PLSQL, does not save state)

      • Text Field (Disabled, does not save state)

      • Stop and Start HTML Table (Displays label only)

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  9. Click Apply Changes.

Configuring Session State Protection for Page Items

To configure Session State Protection for items:

  1. Navigate to the Session State Protection page:

    1. On the Workspace home page, click the Application Builder icon.

    2. Select an application.

    3. Click Shared Components.

    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click the Page Item icon.

  3. You can customize the appearance the page using the Search bar at the top of the page. Available controls include:

    • Search icon - Resembles a magnifying glass. Click this icon to narrow your search to only specific columns. To search all columns, select All Columns.

    • Text area - Enter case insensitive search criteria (wild card characters are implied) and then click Go.

    • Go button - Executes a search or applies a filter.

    • Actions menu - Displays the Actions menu. Use this menu to customize the report view. See "Using the Actions Menu".

  4. Select a page number.

    The Edit Session State Protection for Page and Items page appears. The following information displays at the top of the page:

    • Application ID and name

    • Session State Protection status (Enabled or Disabled)

    • page Number

    • Page name

  5. For Page Access Protection, select a session state protection level for each item:

    • Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).

    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.

    • No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.

    • No URL Access - The page may not be accessed using a URL, however the page may be the target of a Branch to Page branch type, which does not do a URL redirect.

  6. For Item Types, select Data Entry Items or Display-only Items.

    Data Entry items are items that can be altered using forms and include hidden items. Display-Only items are rendered only and are not submitted with the form.

  7. If you select Data Entry Items, select a session state protection level for each item:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  8. If you select Display-only Item, select a session state protection level for each item:

    • Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled. This attribute may be used with any of these Display As types:

      • Display as Text (escape special characters, does not save state)

      • Display as Text (does not save state)

      • Display as Text (based on LOV, does not save state)

      • Display as Text (based on PLSQL, does not save state)

      • Text Field (Disabled, does not save state)

      • Stop and Start HTML Table (Displays label only)

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  9. Click Apply Changes.

Configuring Session State Protection for Application Items

To configure Session State Protection for application items:

  1. Navigate to the Session State Protection page:

    1. On the Workspace home page, click the Application Builder icon.

    2. Select an application.

    3. Click Shared Components.

    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click the Application Item icon.

  3. You can customize the appearance the page using the Search bar at the top of the page. Available controls include:

    • Search icon - Resembles a magnifying glass. Click this icon to narrow your search to only specific columns. To search all columns, select All Columns.

    • Text area - Enter case insensitive search criteria (wild card characters are implied) and then click Go.

    • Go button - Executes a search or applies a filter.

    • Actions menu - Displays the Actions menu. Use this menu to customize the report view. See "Using the Actions Menu".

  4. Select an application item.

  5. Under Security, select one of the following from the Session State Protection list:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is only applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled. This attribute may be used for application items or for page items with any of these Display As types:

      • Display as Text (escape special characters, does not save state)

      • Display as Text (does not save state)

      • Display as Text (based on LOV, does not save state)

      • Display as Text (based on PLSQL, does not save state)

      • Text Field (Disabled, does not save state)

      • Stop and Start HTML Table (Displays label only)

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  6. Click Apply Changes.


 Previous
Previous 		 Next
Next