session state protection - no url access

I use APEX 4.1.0 and Oracle 10 g.

I started to apply the Protection of the State of Session on my APEX pages. The option "Arguments must have Checksum" works very well for the pages accessible by URL links. "No Arguments Allowed" option also works very well for those pages that have no arguments. But I did not get "No URL access" to work for one of my pages that are accessible from branches of page with arguments.

Ideally, I would like to see an example of "No URL access" in action. I looked everywhere and have not found a good example.

This is one of the branches in my app, I tried:

The definition of the domestic Action section:
Target type: Page in this application
Page: 20 <-----------This is the page with "No URL Access" set.
Clear Cache: 20,RIR
Set these items: IR_ACOL,IR_BCOL
With these values: &P10_AITEM.,&P10_BITEM.
I don't think that there is something special here on the use of IR filters. It's the same problem with other types of pairs of point value. Let me know if you need more information.
Thank you


If you set "No access URL" you branch to the page.
Branch type must be 'branch to the page.
When you create the branch, second page of the wizard, clear 'branch of page redirection using'.

In the branch of this type, you do not have options clear cache or set values of the element. You need to do that in the process before the branch.

Kind regards
My Blog:

Tags: Database

Similar Questions

  • Apex 5.0 "session state protection violation" during the change of display only value point in dynamic action.

    The following feature gives us a message "session state protection violation", after we migrated our application from Apex 4.02 to 5.0.

    For example, in

    Whenever the value of the input field changes, the URL to test changes. This is done in a dynamic action of 'change' on the version field. The action of the set value changes the value of URL to test.

    When the page is sent to the error message is displayed.

    1. Why do we get this message in Apex 5.0 and not in 4.0.2?

    2. What is the way to do this in the Apex 5.0?

    Thank you


    Just try save session state - no.

  • Session state protection violation: this can be caused by manually editing the protected page P67_C point. If you don't know what caused this error.

    Hi friends,

    I create three field A textfield,textfield B,C textfield and apply the formula with dynamic action.

    C = A + B.

    Now, I want to protect user could not be total change at point C, so I change it is property of the text field to display only and change in

    Settings-> save the Session State-> Yes

    After all changes when I ran page and provide the registry then it shows me error below.

    Session state protection violation: this can be caused by manually editing the protected page P67_C point. If you don't know what caused this error, contact the administrator of the application for assistance.

    How to disable the total at point C when I use the dynamic action to calculate the Total of A + B.

    Thank you.

    Hi Maxence,

    1. in the case of a display one element

    Change your point of P67_C and change the State of Session Save-> No.

    2. in the case of a text field

    Change your point of P67_C and make it read-only

    go to the attributes of the HTML Form element-> readonly = "readonly".

    Hope this helps you,

    Kind regards


  • Session state protection error


    I get an error on the browser Internet Explorer (doesn't happen in chrome), which States "Session State protection violation: this can be caused by manually editing the protected page P11_NEW_FLAG point." If you don't know what caused this error, contact the administrator of the application for assistance. Contact your administrator for the application. "

    I don't know why this error because the element P11_NEW_FLAG is NOT protected at all. Here's the security properties are attributed to him:


    It has a readonly condition associated with him making it readonly based on some logic PL SQL.

    I don't know where to start debugging? What can be the root cause?

    Thank you

    Sunil Bhatia

    Hi Sunil Bhatia,

    Sunil Bhatia wrote:

    Hi mohamed,.

    No, its not hidden item, it's a FLAG (Checkbox) I display on the front end. There are readonly. I debugged and error occurring only when the box is read-only. It automatically creates checksum argument.

    Other settings to watch?

    Thank you

    Sunil Bhatia

    You use the condition parameters of article readonly?

    CheckBox and select items does not in HTML readonly property. ReadOnly checkbox in the case of Oracle APEX is setting the disabled property. Therefore, on presentation of the page it is originally the error of session state protection.

    An easy way to do this is to write a dynamic action (run Javascript) to disable the checkbox if necessary:


    But write a front page submit dynamic action (run Javascript) to activate elements disabled on the page, so that the layout of the page works fine:


    Reference: Apex tips and tricks - an easy way to make read-only items

    I hope this helps!

    Kind regards


  • Session state protection violation

    I created the sample application to the free workspace

    Name of workspace: WMS_USER

    Username: [email protected]

    Password: password! 23

    Request 40363 - shipping Office
    : - > Run: click the report item

    When I select the number of the item 50004257 and click on the button new 1 then show the error like session
    violation of protection State

    Can you please help

    This link is not a job for me.

    2942415 wrote:

    I created the sample application to the free workspace

    Name of the workspace: WMS_USER

    Username: [email protected]

    Password: password! 23

    Request 40363 - shipping Office
    :-> Run it: click the report item

    When I select item number 50004257 and click on the button new 1 then show the error like session
    violation of protection State

    Can you please help

    This link is not a job for me.

    Check your work application.

    p3_item_desc--> edit-->--> No. session state

  • Protection of session state - Arguments must have Checksum - help needed

    Hello world

    I use apex 4.0 and that you have defined:

    Protection of session state = True
    Page = Arguments access protection must have the checksum
    Point of application protection = Cecksum required - Session level
    Page data entry point Protection = required Cecksum - Session level
    Page Display-Only item = Cecksum required - Session-level Protection

    On the pages that contain an interactive report, calls to other pages updated and or to delete a record from the pharmacokinetics of recording work OK.
    I put these as follows:
    In the Interactive report link-> Link attribute column = onclick = "new top. Ext.apex.PopupWindow ({url: this.href, title: 'Change collation details', width: 530, height: 500, listeners: {'success':}}). show(); return false; »
    Target = this Application Page
    Page = 302Item = P302_IDCLASS
    Value = #IDCLASS #.
    Page Checksum = - default user.

    The problem is the button 'Create a new record' that is on the page of interactive report. I set the button as:
    The attributes button = onclick = "new top. Ext.apex.PopupWindow({url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:302:::',_title:_'Create_New_Classification',_width:_530,_height:_500,_listeners:_{'success'}}).show (); return false; »
    Action when click = redirect to the Page of this Application
    Page = 302
    Clear Cache = 302

    When I click the button I get the following message:
    Session state protection violation: this can be caused by a manual change to a URL containing a checksum or using a link with a missing or incorrect checksum. If you don't know what caused this error, contact the administrator of the application for assistance.

    If I change the attributes of the button to be:
    OnClick = "new top. Ext.apex.PopupWindow({url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:::',_title:_'Create_New_Classification',_width:_530,_height:_500,_listeners:_{'success'}}).show (); return false; »

    It works OK, bu page elements are not clear.

    Could somebody please explaing to me what I am doing wrong so I understand my mistake?

    Thank you



    If I understand correctly what you need...

    Create a point of the MY_BTN_URL application.
    You can set this element of Protection of the Session State to 'Restricted - cannot be resolved in the browser.
    Create the calculation of demand for this article
    Calculation Point: Before header
    Calculation type: PL/SQL Expression

      p_url => 'f?p=&APP_ID.:302:&APP_SESSION.::NO:302::::',
      p_checksum_type => 3

    Change your attributes of button

    onclick="new top.Ext.apex.PopupWindow({ url:'&MY_BTN_URL.', title: 'Create New Classification', width: 530, height: 500, listeners: {'success':} }).show(); return false;"

    Kind regards

    Published by: jarola October 25, 2011 15:50

    Published by: jarola October 25, 2011 16:16

  • What the Protection of Session State and when it is used.


    I just want to know what is the Protection of the State of Session and where it should be used.

    Thank you


    Protection of the State of session in the Oracle apex is a built-in feature that allows you to prevent users / hackers to a URL handling in your application.

    A simple way to undersatnd, what would be your banking session. As soon as you connect, your URL would include a key and probably session information for the session that you log on. But if you copy this URL and log off and reuse the URL, you wouldn't be able to connect as that the session is over.

    Or once you connect and navigate to a page, you would have the information information session and the page in your browser to the URL (say it's balance transfer page). However, this page would not directly accessible using the URL with someone else. A similar security feature can be activated by using "URL access" in the access page for Apex session state protection.

    Hope this helps,

  • Violation of State protection session during the creation of master page / retail

    I am trying to create a new master page / detail in Apex 5.0, and at the end of the dialog box, I get this error message:

    Session state protection violation: this can be caused by manually editing the protected page P24_MASTER_PAGE_MODE point. If you don't know what caused this error, contact the administrator of the application for assistance.

    [I am the administrator of the application, and I have not the slightest idea either.]

    The error occurs when I click Next in the dialog Page attributes. The error also occurs in other applications in the same workspace. So I don't think it's important, but I replace the default detail Page number. (The default number of Master Page is grayed out.) In addition, the dialog box layout I had selected... in a table on the same page. I've also specified no master navigation and no reports of master.

    Following archived discussion of v4.1.1, Session State protection violation, I modified a diagnostic query and run the following in my diagram:

    Select item_id, nom_element page_id, region of apex_application_page_items where nom_element = ' P24_MASTER_PAGE_MODE'

    I'm not abreast of any application in my workspace with a Page 24 and sure enough, this query returns no data found. Please take note of this before suggesting to change the attributes of the element. I don't know where the item is and not only the database, apparently. Apex seems to think there is - but where?

    Since an earlier discussion which went nowhere, I crushed my most recent request for export file, but that has not solved the problem. I also went into my workspace and created a form master / detail without error.

    Thanks for your help!

    Obfuscation Express.

    Worsening Express.

    Apex, the product you hate to love.

    It turns out that the dialog box create a Master Page / detail has a Mode option of the Page on modal Page attributes page. I'd be willing to bet, this option is not P24_MASTER_PAGE_MODE. (There is also one for the details of page: P24_DETAIL_PAGE_MODE?) But it has the Normal and gray value.

    It is also now a Select list after my dose; I think it was a type item view only before the fix, which only confirms my thought. I was wondering, which could affect, or enable or disable the modification of the attributes of session state for that element. Model and its theme came to mind, and I remember that I had tried to understand something on a model in the last days, had made a change and tried to cancel it.

    To no avail, apparently.

    Thus, a little more explore new territory, trying to find the modified model and could not. But I read that templates are collected into themes, and I found that I could renumber 26 theme in the application (926). Then make a theme create, from the repository, changing from standard to all themes, click theme 26. Then it was switching themes and rematching models and remove the renumbered theme 926.

    Voila! I can now create a master page / detail without report master!

    Thanks for all the help, with particular satisfaction for Pranav.shah, who was on the train right but don't know which track to take.

  • Violation of State protection session error - after upgrade to point 4.1.1


    After the upgrade to demand Express we get the following error message when you try to leave a page with elements of readonly:

    Session state protection violation: this can be caused by manually editing the protected page PXX_ITEM_NAME point. If you don't know what caused this error, contact the administrator of the application for assistance.

    Everything works fine in!

    Session of the element State protection has the value "without restriction".

    Someone now on a solution or possible workarounds?

    BR Paul

    Hi Paul,.

    in fact, it's a bug in the LOV awesome plug-in. In the case of the read-only, it also called

          l_name := apex_plugin.get_input_name_for_page_item(FALSE);

    but never use this value that subsequently confuses APEX when the page is sent.

    This statement, I moved to the the if ELSE

          l_name := apex_plugin.get_input_name_for_page_item(FALSE);
                '<input type="hidden" name="' || l_name || '" id="' || || '_HIDDENVALUE" value="' || p_value || '" />' || l_crlf

    and now it works.

    I'll let Dan know so that it can release a version update of the plug-in.

    My Blog:
    APEX Plug-Ins:

  • disables the State protection of pages without argument running session

    Hi all

    Components shared = > Security = > authentication schemes = > Application Express - current

    I did the steps of folowwing:

    Components shared = > Security = > Protection of the State of Session = > button Set Protection
    in the screen folowwing press Enable followed by next
    in the next screen, tap the Protections of State Session enable

    in the page components shared > Session State Protection > Protection of the Session State by Page

    the two page 0 and 1 are unrestricted

    STIL, I can't start my application

    page error 1:
    No checksum has been provided to show the processing of a page that requires a checksum when one or

    ask more, clear the cache, or argument values are passed as parameters.

    page 0 and 1 have no element

    Page 1 has a region of the type list
    and uses the list available on page 0, but using a list template override od Pull Down Menu with

    Image of the same list on page 0 has a model list of Menu DHTML with sublist

    I am at a loss of the EUL solutions is the protection of the session off all State

    Help, please


    It's a quirk in how the login page is called using the deep link, created by the manufacturer. To work around this problem, you can set page 101 to Unrestricted so that no amount of control is necessary.


  • Links created manually on a tree with the Protection of the active Session State


    I met a problem and hope you can help me with.

    I created a tree using the method described in a book great John & Scott, 'Pro Express Application'. Here is an example of a link stored in my table:

    access a page, passing it parameters


    When the page is executed that it works as expected. I can expand the tree and go to the page, passing it the parameters if necessary.

    However when I turned on the protection of session state these links "handmade" has stopped working. (What I expected because it contains no checksum!).

    After some research, I see that I must use APEX_UTIL. PREPARE_URL to generate the URL with a checksum. But that's where I met problems. I can't be able to pass parameter values to the calling page.

    The original tree query was:

    Select "IDENTIFIER" id,
    "PARENT_IDENTIFIER" the nest,
    Name of "TITLE."
    Link "LINK."
    null a1,
    null A2
    a < table >

    Then, I changed the option to use APEX_UTIL. PREPARE_URL:


    But clicking on the link just gave me a blank page. I then hardcoded just the url in the select statement:


    and it works, the page is called, and I can see the values of the parameters passed. But I can't use this method because it is limited to a page!

    Finally, I tried to store the parameter values, the parameters and the page number in different columns of the table that the tree came and then bring together them:

    APEX_UTIL. PREPARE_URL ('f? p ='|: APP_ID |': ' | navigate_to_page |': ' |: APP_SESSION |': ' | parameter |': ' | parameter_values link).

    Go to page set: 3
    parameters a value: P3_IDENTIFIER, P3_FAMILY_NAME
    parameter_values has the values of: & P2_IDENTIFIER, & P2_FAMILY_NAME.

    He now calls the page, but the values of the parameters have become literals. so, where I would expect an identifier I see & P2_IDENTIFIER Idem for family name.

    What I am doing wrong? How can I pass values to my page called using apex_util_prepare_url?

    If necessary, the details of my environment are: Apex 3.2.1 Oracle Application Server Database Oracle

    Thanks in advance for any help you may be able to provide.


    & NAME. the rating is not available in SQL, you must either use: NAME or v ('NAME') or nv ('NAME') (for numbers). One of these must be concatenated in your SQL statement in the same way that you did for: APP_ID etc.


  • Pass values of the item to the page with 'No URL Access'

    I have a request of "high security" where I try to limit the information passed around in the URL so I have several pages with branches of the 'branch to the page' where the target page access protection is set to "no access URL".

    However, I still need to set multiple values page element in the target page (the one I am connexiona step).

    Thinking about how to do what I thought of two ways to get this data to the target page.
    First way:
    (a) set up several calculations in the source page that calculates the values of the element in the target page and subordinate these calculations on a button application.
    (b) set up my 'on page' management on the source with the same request conditional button.

    Second way:
    (a) put in place target with a process of pl/sql page that defines the page elements
    APEX_UTIL. SET_SESSION_STATE('P31_SSN',:P40_SSN); -P31 is the target page
    do the same for all elements on the page. The process of subjecting to press the button.
    (b) implemented the same 'page' branch on the source with the same conditional key.

    Pro or con either of these approaches? Is there a different approach? I'm IMPOSSIBLE in any case implement a branch to URL with the item values in the URL as I don't want sensitive data columns in newspapers. I know that set_session_state can have interesting interactions with variable bind where they may not be, but I see no problem with my test pages...

    It doesn't matter what technique lets you define the session state - do what is easier. Call for apex_util.set_session_state is the same as make an assignment, for example,.


    .. .is equivalent to

    : P31_SSN: =: P40_SSN;

    Calculations are the same thing.

    Application parts are not broader than the elements on the page regarding the scope of application; any point in the session state can be referenced by any element of the request. Application parts are no rendering/display properties or association of specific page.


  • Connect all the elements of session state?

    I need to create a record of routine that captures the current user to an APEX session state and she pours in a table of error log.

    I already have the paper table and an autonomous_transaction function defined in one of my pl/sql packages, but now I need to get information from the user's session, for example what page they were, what their item app values were, what the last request has been, etc..

    Does anyone know how to do that without grant select on apex_030200.wwv_flow_data the ID of the workspace where the logging feature?

    Wwv_flow_data contains information for all users, I want just the logarithmic function to access the current user/app/session data only. Yes, I can filter with a where clause clause, but I rather it would be more like a self filtering view that shows you your own data (defined in the schema of the apex/flow). Even better would be a function APEX_UTIL that returns the session state in a clob or varchar2 32K maybe even in the name = value format.

    My version of db is a business with Apex 11.1.

    You'll want to use the built-in views. Here is a sample of something that I use to record values report.

    CURSOR c_items IS
          SELECT item_name
            FROM apex_application_page_items
           WHERE application_id = p_application_id AND
                 page_id = p_page_num AND
                 (region_id = p_region_id OR
                  p_region_id IS NULL) AND
                 display_as NOT IN ('Stop and Start HTML Table (Displays label only)', 'Hidden and Protected');
        FOR r_items IN c_items LOOP
          store_report_value(p_report_id, r_items.item_name, v(r_items.item_name));
        END LOOP;

    You can pass the values of Apex as: APP_SESSION,: APP_PAGE_ID,: APP_USER as parameters in a procedure.

  • session state variable, concept and work around

    I use the variable session state and tried under the code element. But so far, I've had it is that when a variable assigned a value in plsql block, its scope has ended so only.

    And in the next step using the simple sql variable within the same session, we had manifest error.

    Is there a work around using too simple sql variable.

      2  as
      3  mysess_var number;
      4  end;
      5  /
    Package created.
    SQL> create table tmp_sess as select 1 sess_id from dual;
    Table created.
    SQL> declare
      2  begin
      3  MYPACKAGE.mysess_var := 1;--Assiging value
      4  insert into tmp_sess values (MYPACKAGE.mysess_var);
      5  commit;
      6  end;
      7  /
    PL/SQL procedure successfully completed.
    SQL> --I also want this to be achive for plain sql syntax,  is it possible
    SQL> insert into tmp_sess values (MYPACKAGE.mysess_var);
    insert into tmp_sess values (MYPACKAGE.mysess_var)
    ERROR at line 1:
    ORA-06553: PLS-221: 'MYSESS_VAR' is not a procedure or is undefined

    You cannot access variable defined in a package of SQL. Good way would be to define the getter and setter methods.

    SQL> create or replace package mypackage
      2  as
      3    mysess_var number;
      4    procedure set_value (pvalue in number);
      5    function get_value return number;
      6  end;
      7  /
    Package created.
    SQL> create or replace package body mypackage
      2  as
      3    procedure set_value (pvalue in number)
      4    is
      5    begin
      6      mysess_var := pvalue;
      7    end;
      9    function get_value return number
     10    is
     11    begin
     12      return mysess_var;
     13    end;
     14  end;
     15  /
    Package body created.
    SQL> exec mypackage.set_value(1)
    PL/SQL procedure successfully completed.
    SQL> select mypackage.get_value
      2    from dual;
  • iFrames and blocks direct URL access to certain pages

    I've been designing a site in Muse using Widgets (iFrames) of the Composition. Because the site that I create is quite large with updates and frequent changes, I won't be publish and download the entire site, whenever I have make a change or add content (like muse seems to force me to do, even when I change a single image). So as a work, within the iFrame, I insert HTML that links to a separate "mini site" Muse in another folder in my folder root (in a manner similar to adding a blog or Twitter feed into a Widget). This way I can make changes and don't have to publish and download small pieces of the larger site. These mini-sites conducted small, contents are incomplete in regard to corporate image and layout of Web site and I don't want people to access it directly, but I DON'T want the search engines to access information in their breast.

    So how can I block a public direct URL access to the "mini-sites" without blocking the site parent to access and display them in the iFrame? I want the user to be redirected to the site parent if a picks up more search engine "mini site" content, rather than being directed to the page itself.

    I know that I won't be able to this in the Muse, using Dreamweaver or any other editor is fine. I'm not fluent HTML, PHP, CSS, or any other language, but I can muddle my way through it, if I have the direction.

    I hesitate now to present a link to the test site I've created (even if I could do it on request), so I hope I have explained myself well enough.

    Thanks for any help.

    This has nothing to do with the Muse or elsewhere in the HTML. You would have to put in place a whole bunch of rules server side to transfer users and extract content from specific referents, but in the end, there are a lot of mumbo jumbo for nothing. Search engines can pretend to be browsers browsers can pretend to be stupid to caterpillars and even obscured links can be followed in any way. You should just press F12 and cross browser debugging console. I'm afraid that it is something that you really can do it properly, using a dynamic system where you can use the ID session PHP, cookies, or personalised channels encoded in your URL. In your scenario current all you can do is to use .htaccess and robots.txt files to block search engines to dig in your records, but they still don't sign up under your main domain name and not necessarily pass. On the other hand, since the search engine still has the URL of the folder, little sleuths like me could pull off, stick it in a separate window and then apply the view of the folder for the site when possible or browse your files based on the URL in the iFrame code or their names. What you want is fundamentally mutually exclusive and goes against the work of sites HTML static how.


Maybe you are looking for