Protection of session state - level user

See http://apex.oracle.com/pls/otn/f?p=40688:21

Service provider shared is enabled for the application.

Report link goes to a blank page (19), clears the cache for the page, and defines an item of level application (G_TEST)

Attribute of link checksum page for column report link is set to "User Level - reusable link by the current user.

Attribute Access Protection page for Page 19 has the value "Arguments must have checksum.

Yet, if I bookmarked a link like http://apex.oracle.com/pls/otn/f?p=40688:19:G_TEST:262487 & cs = 24061D876D616329DA0EA2CA5E9F90695

that IS NOT having the "19" in position to clear the cache of the f? p = URL, he complains about the violation of the SSP.

Shouldn't I be able to request the page successfully using some f? p = app:page:G_TEST:123 & cs = xxx? Why do I need to have the clear-cache populated?

What Miss me?

Actually, I guess the function is supposed to work is that a user could use save the link as a browser bookmark and simply return to it, session id and all. A new session would get generated, when necessary.

Yes, or even without a session ID. But the idea is that the user should not be able to change the features, i.e., the request, clear-cache or item names/values. That's what the checksum calculated on.

Scott

Tags: Database

Similar Questions

Protection of session state - Arguments must have Checksum - help needed
Hello world

I use apex 4.0 and that you have defined:

Protection of session state = True
Page = Arguments access protection must have the checksum
Point of application protection = Cecksum required - Session level
Page data entry point Protection = required Cecksum - Session level
Page Display-Only item = Cecksum required - Session-level Protection

On the pages that contain an interactive report, calls to other pages updated and or to delete a record from the pharmacokinetics of recording work OK.
I put these as follows:
In the Interactive report link-> Link attribute column = onclick = "new top. Ext.apex.PopupWindow ({url: this.href, title: 'Change collation details', width: 530, height: 500, listeners: {'success': gReport.search}}). show(); return false; »
Target = this Application Page
Page = 302Item = P302_IDCLASS
Value = #IDCLASS #.
Page Checksum = - default user.

The problem is the button 'Create a new record' that is on the page of interactive report. I set the button as:
The attributes button = onclick = "new top. Ext.apex.PopupWindow({url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:302:::',_title:_'Create_New_Classification',_width:_530,_height:_500,_listeners:_{'success':_gReport.search}}).show (); return false; »
Action when click = redirect to the Page of this Application
Page = 302
Clear Cache = 302

When I click the button I get the following message:
Session state protection violation: this can be caused by a manual change to a URL containing a checksum or using a link with a missing or incorrect checksum. If you don't know what caused this error, contact the administrator of the application for assistance.

If I change the attributes of the button to be:
OnClick = "new top. Ext.apex.PopupWindow({url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:::',_title:_'Create_New_Classification',_width:_530,_height:_500,_listeners:_{'success':_gReport.search}}).show (); return false; »

It works OK, bu page elements are not clear.

Could somebody please explaing to me what I am doing wrong so I understand my mistake?

Thank you

Daniel
Hello

If I understand correctly what you need...

Create a point of the MY_BTN_URL application.
You can set this element of Protection of the Session State to 'Restricted - cannot be resolved in the browser.
Create the calculation of demand for this article
Calculation Point: Before header
Calculation type: PL/SQL Expression
Calculation:
```
APEX_UTIL.PREPARE_URL (
  p_url => 'f?p=&APP_ID.:302:&APP_SESSION.::NO:302::::',
  p_checksum_type => 3
);
```
Change your attributes of button
```
onclick="new top.Ext.apex.PopupWindow({ url:'&MY_BTN_URL.', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
```
Kind regards
Jari

Published by: jarola October 25, 2011 15:50

Published by: jarola October 25, 2011 16:16

What the Protection of Session State and when it is used.
Hello

I just want to know what is the Protection of the State of Session and where it should be used.

Thank you
Deepak
Deepak,

Protection of the State of session in the Oracle apex is a built-in feature that allows you to prevent users / hackers to a URL handling in your application.

http://download.Oracle.com/docs/CD/E14373_01/AppDev.32/e11838/sec.htm#CDDGIGJH

A simple way to undersatnd, what would be your banking session. As soon as you connect, your URL would include a key and probably session information for the session that you log on. But if you copy this URL and log off and reuse the URL, you wouldn't be able to connect as that the session is over.

Or once you connect and navigate to a page, you would have the information information session and the page in your browser to the URL (say it's balance transfer page). However, this page would not directly accessible using the URL with someone else. A similar security feature can be activated by using "URL access" in the access page for Apex session state protection.

Hope this helps,
Rajesh.

Links created manually on a tree with the Protection of the active Session State
Friends,

I met a problem and hope you can help me with.

I created a tree using the method described in a book great John & Scott, 'Pro Express Application'. Here is an example of a link stored in my table:

access a page, passing it parameters

f? p = & APP_ID.:3: & SESSION.: P3_IDENTIFIER, P3_FAMILY_NAME: & P2_IDENTIFIER, & P2_FAMILY_NAME.

When the page is executed that it works as expected. I can expand the tree and go to the page, passing it the parameters if necessary.

However when I turned on the protection of session state these links "handmade" has stopped working. (What I expected because it contains no checksum!).

After some research, I see that I must use APEX_UTIL. PREPARE_URL to generate the URL with a checksum. But that's where I met problems. I can't be able to pass parameter values to the calling page.

The original tree query was:

Select "IDENTIFIER" id,
"PARENT_IDENTIFIER" the nest,
Name of "TITLE."
Link "LINK."
null a1,
null A2
a < table >

Then, I changed the option to use APEX_UTIL. PREPARE_URL:

....
APEX_UTIL. Link PREPARE_URL (Link),
....

But clicking on the link just gave me a blank page. I then hardcoded just the url in the select statement:

....
APEX_UTIL. PREPARE_URL ('f? p ='|: APP_ID |) » : 3 :'|| : APP_SESSION |': P3_IDENTIFIER, P3_FAMILY_NAME: & P2_IDENTIFIER, & P2_FAMILY_NAME. ") link.
...

and it works, the page is called, and I can see the values of the parameters passed. But I can't use this method because it is limited to a page!

Finally, I tried to store the parameter values, the parameters and the page number in different columns of the table that the tree came and then bring together them:

...
APEX_UTIL. PREPARE_URL ('f? p ='|: APP_ID |': ' | navigate_to_page |': ' |: APP_SESSION |': ' | parameter |': ' | parameter_values link).
...

Go to page set: 3
parameters a value: P3_IDENTIFIER, P3_FAMILY_NAME
parameter_values has the values of: & P2_IDENTIFIER, & P2_FAMILY_NAME.

He now calls the page, but the values of the parameters have become literals. so, where I would expect an identifier I see & P2_IDENTIFIER Idem for family name.

What I am doing wrong? How can I pass values to my page called using apex_util_prepare_url?

If necessary, the details of my environment are: Apex 3.2.1 Oracle Application Server 10.1.2.3. Database Oracle 10.2.0.3

Thanks in advance for any help you may be able to provide.
Hello

& NAME. the rating is not available in SQL, you must either use: NAME or v ('NAME') or nv ('NAME') (for numbers). One of these must be concatenated in your SQL statement in the same way that you did for: APP_ID etc.

Andy

Session state protection violation: this can be caused by manually editing the protected page P67_C point. If you don't know what caused this error.

Hi friends,
I create three field A textfield,textfield B,C textfield and apply the formula with dynamic action.
C = A + B.
Now, I want to protect user could not be total change at point C, so I change it is property of the text field to display only and change in
Settings-> save the Session State-> Yes
After all changes when I ran page and provide the registry then it shows me error below.
Session state protection violation: this can be caused by manually editing the protected page P67_C point. If you don't know what caused this error, contact the administrator of the application for assistance.

How to disable the total at point C when I use the dynamic action to calculate the Total of A + B.
Thank you.

Hi Maxence,

1. in the case of a display one element

Change your point of P67_C and change the State of Session Save-> No.

2. in the case of a text field

Change your point of P67_C and make it read-only

go to the attributes of the HTML Form element-> readonly = "readonly".

Hope this helps you,

Kind regards

Jitendra

Session state protection violation

I created the sample application to the free workspace
https://Apex.Oracle.com/pls/Apex/f?p=4550:8:0
Name of workspace: WMS_USER
Username: [email protected]
Password: password! 23
Request 40363 - shipping Office
: - > Run: click the report item
When I select the number of the item 50004257 and click on the button new 1 then show the error like session
violation of protection State
Can you please help
This link is not a job for me.

2942415 wrote:

I created the sample application to the free workspace

https://Apex.Oracle.com/pls/Apex/f?p=4550:8:0

Name of the workspace: WMS_USER

Username: [email protected]

Password: password! 23

Request 40363 - shipping Office
:-> Run it: click the report item

When I select item number 50004257 and click on the button new 1 then show the error like session
violation of protection State

Can you please help

This link is not a job for me.

Check your work application.

p3_item_desc--> edit-->--> No. session state

Apex 5.0 "session state protection violation" during the change of display only value point in dynamic action.

The following feature gives us a message "session state protection violation", after we migrated our application from Apex 4.02 to 5.0.
For example, in apex.oracle.com: https://apex.oracle.com/pls/apex/f?p=50676:1:
Whenever the value of the input field changes, the URL to test changes. This is done in a dynamic action of 'change' on the version field. The action of the set value changes the value of URL to test.
When the page is sent to the error message is displayed.
1. Why do we get this message in Apex 5.0 and not in 4.0.2?
2. What is the way to do this in the Apex 5.0?
Thank you
René

Just try save session state - no.

Session state protection error

Hello
I get an error on the browser Internet Explorer (doesn't happen in chrome), which States "Session State protection violation: this can be caused by manually editing the protected page P11_NEW_FLAG point." If you don't know what caused this error, contact the administrator of the application for assistance. Contact your administrator for the application. "

I don't know why this error because the element P11_NEW_FLAG is NOT protected at all. Here's the security properties are attributed to him:

It has a readonly condition associated with him making it readonly based on some logic PL SQL.
I don't know where to start debugging? What can be the root cause?
Thank you
Sunil Bhatia

Hi Sunil Bhatia,

Sunil Bhatia wrote:

Hi mohamed,.

No, its not hidden item, it's a FLAG (Checkbox) I display on the front end. There are readonly. I debugged and error occurring only when the box is read-only. It automatically creates checksum argument.

Other settings to watch?

Thank you

Sunil Bhatia

You use the condition parameters of article readonly?

CheckBox and select items does not in HTML readonly property. ReadOnly checkbox in the case of Oracle APEX is setting the disabled property. Therefore, on presentation of the page it is originally the error of session state protection.

An easy way to do this is to write a dynamic action (run Javascript) to disable the checkbox if necessary:
```
$("#P11_NEW_FLAG").attr("disabled",true);
```
But write a front page submit dynamic action (run Javascript) to activate elements disabled on the page, so that the layout of the page works fine:
```
$("#P11_NEW_FLAG").removeAttr("disabled");
```
Reference: Apex tips and tricks - an easy way to make read-only items

I hope this helps!

Kind regards

Kiran

session state protection - no url access
I use APEX 4.1.0 and Oracle 10 g.

I started to apply the Protection of the State of Session on my APEX pages. The option "Arguments must have Checksum" works very well for the pages accessible by URL links. "No Arguments Allowed" option also works very well for those pages that have no arguments. But I did not get "No URL access" to work for one of my pages that are accessible from branches of page with arguments.

Ideally, I would like to see an example of "No URL access" in action. I looked everywhere and have not found a good example.

This is one of the branches in my app, I tried:

The definition of the domestic Action section:
```
Target type: Page in this application
Page: 20 <-----------This is the page with "No URL Access" set.
Request:
Clear Cache: 20,RIR
Set these items: IR_ACOL,IR_BCOL
With these values: &P10_AITEM.,&P10_BITEM.
```
I don't think that there is something special here on the use of IR filters. It's the same problem with other types of pairs of point value. Let me know if you need more information.
Thank you
Jackie
Hello

If you set "No access URL" you branch to the page.
Branch type must be 'branch to the page.
When you create the branch, second page of the wizard, clear 'branch of page redirection using'.

In the branch of this type, you do not have options clear cache or set values of the element. You need to do that in the process before the branch.

Kind regards
Jari
-----
My Blog: http://dbswh.webhop.net/htmldb/f?p=BLOG:HOME:0
Twitter: http://www.twitter.com/jariolai

upgrade of the apex 4 to 4.1 facing issues such as the protection of the State of Session
I have some areas that are read-only... But when I save it
so I'm dealing with protection of session error

Session state protection violation: this can be caused by manually editing the protected page P103_empid point. If you don't know what caused this error, contact the administrator of the application for assistance.
Communicate with your administrative application

Then when I change the p103_empid_no of the text field and remove the read only status
so I'm able to save...
If I make one point only display too he recorded record successfully. and the value of session state... then saves it
but the p103_subscriber_no do not value go to the required table...
Anyone has a work around on this please let me know

What I do is I use oracle xe version 4 which has been upgraded to 4.1
This page is called from another page... I'm feteching empid value on the page, hence it is called
That is to say... Page 10 that has empid inside value...

Published by: user12233760 on October 2, 2012 01:08
Ahh well that explains it, you can not have session state on protection and then change a value of field using Javascript or dynamic action. I have stop any dynamic action on the page and try again just to try to confirm that it is the root of your problem.

These 2 threads will help:
https://CN.forums.Oracle.com/forums/thread.jspa?threadID=2383592
https://KR.forums.Oracle.com/forums/thread.jspa?threadID=2362573&start=0&TSTART=0

Thank you

Paul

How can I pass on set to the next page with protection of session?
Hey, guys:

I have a problem of protection of session problem. In a report page I created a 'map' link column, so I can pass several parameters extracted from this line to the new page where I can see the map. I used javascript popup2 and it worked fine.
```
javascript:popUp2('f?p=&APP_ID.:3006:&SESSION.::&DEBUG.::P3006_H_OFFENDER_NAME,P3006_H_OFFENDER_ID,P3006_H_ADDRESS_LATITUDE,P3006_H_ADDRESS_LONGITUDE,P3006_H_PHYSICAL_LATITUDE,P3006_H_PHYSICAL_LONGITUDE,P3006_H_ADDRESS,P3006_H_PHYSICAL_ADDRESS:#Offender Name#,#Offender ID#,#Address Latitude#,#Address Longitude#,#Physical Latitude#,#Physical Longitude#,#Address#,#Physical Address#','650','450');
```
However, I am required to set all pages, elements with protection session now. After that, I had problem like:

Try to save point P3006_H_OFFENDER_NAME in session state when the treatment of show, no internal protection.
Contact your administrator for the application.

So I changed it as redirect a page in the application and try to spend less settings and other parameters of query, but I had the similar problem:

Try to save point P3006_H_OFFENDER_ID in session state when the treatment of show, no internal protection.
Contact your administrator for the application.

I notice that most of the solutions would turn the session protection as without restriction for these items, but I'm not allowed to do. Is it possible that I can pass parameters of a line in a report while the session protection is turned on?

Thank you very much!

Sam
Sam,

The best way I've found is just to create an element hidden with the PREPARE_URL and then refer to this element in your javascript. The following example calls a page in another application, but it should work the call from one page to another in a single application:

-------------------------------

EXAMPLE:

Because we generally use checksums to level session on URLs, the URLS must be prepared with a checksum for the current session.

Say that we have to deal with page 2. Page 2 has a hidden item (for example, P2_PREPARED_URL_WITH_CKSUM_1) to organize the preparation of the "Source of value or an expression, for example:

APEX_UTIL. PREPARE_URL('f?p=9002:3:&session.::no::G_CALLING_APP_ID,G_CALLING_APP_NAME,G_CALLING_APP_PAGE_ID:&APP_ID.,&G_APP_NAME.,&APP_PAGE_ID.','SESSION');

The hidden element is then used within the "URL target" button to open the corresponding page in the other application:

JavaScript:popUp2('&P2_PREPARED_URL_WITH_CKSUM_1.',1200,1000)

-------------------------

Note in the example above, I've hard-coded the app id 9002. You want to probably use & APP_ID. bind variables syntax.

See the long thread: https://forums.oracle.com/forums/thread.jspa?messageID=10394152. He points out a way (for now) even to call a page in an application in a different workspace, but this ability that is apparently a bug and should be fixed.

Christian Neumueller has been a great help.

Chris

Connect all the elements of session state?
I need to create a record of routine that captures the current user to an APEX session state and she pours in a table of error log.

I already have the paper table and an autonomous_transaction function defined in one of my pl/sql packages, but now I need to get information from the user's session, for example what page they were, what their item app values were, what the last request has been, etc..

Does anyone know how to do that without grant select on apex_030200.wwv_flow_data the ID of the workspace where the logging feature?

Wwv_flow_data contains information for all users, I want just the logarithmic function to access the current user/app/session data only. Yes, I can filter with a where clause clause, but I rather it would be more like a self filtering view that shows you your own data (defined in the schema of the apex/flow). Even better would be a function APEX_UTIL that returns the session state in a clob or varchar2 32K maybe even in the name = value format.

My version of db is a business with Apex 3.2.0.00.27 11.1.
You'll want to use the built-in views. Here is a sample of something that I use to record values report.
```
DECLARE
CURSOR c_items IS
      SELECT item_name
        FROM apex_application_page_items
       WHERE application_id = p_application_id AND
             page_id = p_page_num AND
             (region_id = p_region_id OR
              p_region_id IS NULL) AND
             display_as NOT IN ('Stop and Start HTML Table (Displays label only)', 'Hidden and Protected');

  BEGIN
    FOR r_items IN c_items LOOP
      store_report_value(p_report_id, r_items.item_name, v(r_items.item_name));
    END LOOP;

  END;   
```
You can pass the values of Apex as: APP_SESSION,: APP_PAGE_ID,: APP_USER as parameters in a procedure.

Get the session state of the order of the day in javascript

Is there anyway to get the value of an element of demand through jS?
[I have an app that loads a different source into an iframe depending on which page the user is.] I can load this value in session state for a part of the application (or a point probably page) but for the redirect which is made in java script I don't know how to get the value of session. [I do not have it as the value of the client side.]

Thanks guys, but I think that it would give me only the value in the DOm not in session state. I had to make a page zero point and dynamic action that populated the in the DOM, and then I could use JS ($v) to get the variables.

I couldn't find a way to get session state directly.

Session state and checkboxes

Hi guys,.
I'm a little hard with the checkboxes in the APEX 4.2
I am trying to add 2 boxes in my application to filter the data
The problem is how then to value by default when the user opens the page, some data are displayed
If I use the 'Default' section in the details of the box (setting may 1 as default), when I open the web page, the checkbox is marked, but in the session state is not defined so no data will appear. If I submit the new page then Yes, the data is displayed
I could use a calculation that defined the box = 1 if it is not set when the page loads, but it would not work as the calculation would give it 1 time and again when the user the box remove the flag
Anyone know how I could apply this?
Thank you very much

Hello

so I found a solution according to the following:

-create box 2 or more

-create a hidden text field

-create a header after calculation that has always defined the hidden field = 1

-create one before the calculation of header for each box the value = 1 box only if the value of the hidden text field is null

Apex DatePicker setting session state problem.

Hi all
Workspace: hanamike
User name: test
Password: test
With the help of dynamic action, run PL/SQL, to set the session state.
Using Firefox console showing too many recursion error but session state is defined so slow.
But when the use of Ipad screen will freeze when the session state setting.
Already had the application properties, security, Mode of escape from HTML to base but still display the date value as a unicode type (c, c ++).
Please advice.
Thanks in advance.
Zack

You have set something on the change of P1_DATE1 to change the same domain, and "Remove Change Event" is set to no.

It is an infinite loop.

Protection of session state - level user

Similar Questions

Settings-> save the Session State-> Yes

Maybe you are looking for