Session state protection and read-only items

I have a requirement to create a report + form for a database table. In the form, there is mandatory database column that needs to be displayed but it should be read-only and its value derived using values entered elsewhere on the screen.
It tried Display Only, Read Only and Disabled but they either fall foul of session state protection violation or ORA-01400: cannot insert NULL. The best method that I've found was to add readonly="readonly" the item element, but this causes the input item to lose its APEX classes and I'd prefer a declarative solution anyway.
Anyone know the best approach?
I've created a DEMO - http://apex.oracle.com/pls/apex/f?p=READONLY - which demonstrates the 4 methods.
Edited by: KGelling on 17-May-2012 06:10

KGelling wrote:
The best method that I've found was to add readonly="readonly" the item element, but this causes the input item to lose its APEX classes and I'd prefer a declarative solution anyway.Looks like a bug to me. However a possible explanation/justification for this behaviour is that the HTML Form Element Attributes are often used to specify a custom class for the item, so the default class is removed to prevent any conflicts. IMO APEX needs to provide declarative support for the use of multiple, space-separated class values in page, region, item etc attributes.
As a workaround in this case, just include the class in the HTML Form Element Attributes:
class="number_field" readonly="readonly"
I've created a DEMO - http://apex.oracle.com/pls/apex/f?p=READONLY - which demonstrates the 4 methods.
Thanks for making the effort.

Similar Messages

Defaulting Values and Read-Only Items?

Hi All,
Brand new to APEX and trying to think of ways to get a few things working for me hoping you might have some suggestions.
1. Want to have a few items default upon the creation of a record.
- Created Date - have a column/page item that I would like to default/auto populate with the current date
- Create by - would like to have column/page item default with the login id of the user
2. Dynamically make page/items read-only.
- Once a record is created I would like to ensure that the only person able to edit the record would be the creator. I assume I can use the Read Only feature at the item level but am unsure of the syntax to use to make the item read-only for only the user who created/or is creating the record. Since I would like to be defaulting the "Create by" (see question 1) column to the login id of the user this should be plausible just not sure of the syntax to reference the current user id.
3. Passing a value to to bind variable.
- I have build a basic page with an Interactive Report and have made one of the columns in the Interactive report 'linkable' which launches a BI Publisher report by calling a Report Query. Currently in my report query I have hard coded a value in the SQL statements where clause to prove the theory works what I am struggling with is a declarative way to pass the value that I am clicking to a bind variable in my SQL statements where clause in the query.
Thanks in advance for any suggestions and appreciate your patience with an APEX newbie .. about 2 days old at this juncture. The more specific you can be on what to do and where to go is greatly appreciated.
For those interested in have greater control with your report layout BI Publisher looks to be a great options. I was able to getting by reviewing [how to document:|http://www.oracle.com/technology/products/database/application_express/howtos/howto_master_detail_pdf.html] on OTN. My challenge some in the fact that rather then simply being on the exact row that I want reported on I would like to simply click on a link in a list and pass that value as the bind variable.
JES

Hi -
"1. Want to have a few items default upon the creation of a record."
This is typically done in a trigger at the db level.
CREATE OR REPLACE TRIGGER mytrigger
BEFORE INSERT OR UPDATE
ON mytable
REFERENCING NEW AS new OLD AS old
FOR EACH ROW
BEGIN
if (:new.CREATED_DATE is null)
    then
      :new.CREATED_DATE := sysdate;
    end if;
if (:new.CREATED_USER is null)
    then
      :new.CREATED_USER := nvl(v('APP_USER'),user);
    end if;
:new.UPDATED_DATE := sysdate;
:new.UPDATED_USER := nvl(v('APP_USER'),user);
END CREATE OR REPLACE TRIGGER mytrigger;"2. Dynamically make page/items read-only."
See 'APP_USER' in the Apex docs...
"3. Passing a value to to bind variable."
This is done in the report configuration in the Apex UI...
Session State Include application and session information.
You might want to consider reviewing some of the Apex docs and tutorials, I recommend this:
[http://download.oracle.com/docs/cd/E14373_01/appdev.32/e13367/toc.htm]
Good luck.

AJAX and Read-Only Items

I used the examples from Carl Backstrom and Denes Kubicek to get my cascading select list working.
I have two select list fields (Origin and Type) that I use to determine the data to appear in a third select list field (Customer).
With help from people on this forum I was able to get things to work.
Now I have an issue when I conditionally make the Origin field "read-only".
When this occurs, data appears in my "Customer" select list on the INITIAL display of the form.
However, when I change the value in the "Type" select list field, no data appears in the Customer select list.
If I change the "Origin" field to NOT be read-only, I can change the value in the "Type" select list field and everything works OK.
I hope I have given enough information.
THANKS in advance.
Raymond

Raymond,
It looks like read-only select is really special:
(I replaced < > with [])
When select is not read-only generated html is:
[select name="p_t01" size="1" id="P1_ORIGIN_NO"
onchange="get_AJAX_SELECT_XML('P1_ORIGIN_NO','P1_DISPLAY_SSA','','','P1_CUSTOMER','CASCADING_CUSTOMER_LOV')";
[option value="%null%"]%[option]
[option selected="selected" value="001"]DOTIKI MINE[option]
[option value="S01"]ECO COAL PELLETIZATION NO. 12, LLC[option]
[select]
It means that P1_ORIGIN_NO in get_AJAX_SELECT_XML will be "001"
But when select is read-only your html code is:
[input type="hidden" name="p_t01" value="001" /]
[span id="P2_ORIGIN_NO"
onchange=
"get_AJAX_SELECT_XML('P2_ORIGIN_NO','P2_DISPLAY_SSA','','','P2_CUSTOMER','CASCADING_CUSTOMER_LOV')";
DOTIKI MINE
[span]
[pre]
P2_ORIGIN_NO in get_AJAX_SELECT_XML will be "DOTIKI MINE" which I think is wrong.
It looks like for read-only you need hidden item with code of
drop - down list or somehow you have to reach [input type="hidden" name="p_t01" value="001" /]
Lev
Message was edited by:
le

Session state protection and navigation to url outside apex

Hi
I am working in on an app , in which base on unique key for each customer and i have to show his address on map(google.api) i used apex util to prepare url and enable checksumprotection on that item to pass it on the map.
I have another page which is details of customer also based on that unique , which works fine as its in apex only
what i notice is that , when i navigate to external url(maps.google.com) the session is different than what i originally had, which causes problem when i want to navigate from map (java script info window ) to navigate to detail using same unique key of customer.
I read this was a bug in 4.1 but i am using 4.1.1 assuming the bug was fixed.
Db 11G
Oc4j
linux
Kindly help

Hello Red Bull,
Following article will help you in integration of google maps api through web services:
[url http://www.oracle.com/technetwork/developer-tools/apex/application-express/integration-086636.html#GOOGLE]Integrating Application Express with Google Maps
OR
You can just try plugins available on http://apex-plugin.com.
One of it which can be of your help is:
[url http://apex-plugin.com/oracle-apex-plugins/item-plugin/location-map-image_97.html]Display Location on a Google Map
by @Peter Raganitsch of which blog article is:
http://www.oracle-and-apex.com/plugin-location-map-image/
Hope it helps!
Regards,
Kiran

Problem since upgrade to 2.0 "Error: Session state protection violation"

I've upgraded to 2.0. Everything fine except one particular page when I submit it I get "Error: Session state protection violation". I have read up about session state protection, and it is turned off in my application. There are no items, pages or URLs that have any session state protection. There is nothing particularly different about this screen when compared to other screens that work. What can be causing this?
Steve

Steve - Thanks for putting that test case out there. This is an odd bug. It happens when you apply the read-only attribute to a "Display as Text (does not save state)" item. Normally, these items are not HTML input items on the page (you see only the value rendered). However, because of a bug, applying the read-only attribute causes an INPUT item to be created. This leads to the problem that you saw -- when an item that should never be POSTed because it is: a) an application item, b) a page item that has the Session State Protection attribute "Restricted - May not be set from browser", or c) a page item of display type "Display as Text (does not save state)", is POSTed, the Session State Protection violation is detected and reported. These checks are performed whether the Session State Protection feature is enabled for the application or not. The reason for that is that checking for cases(a) and (c) is always legitimate and checking for case (b) is always necessary because the Restricted attribute for page items of qualifying display types is always in effect.
So the workaround in your case is not to use the read-only attribute for the display-only items. They are read-only anyway.
Thanks again for pointing this out.
Scott

Session State Protection Violation error

I am developing my first Apex application. I have this page which has been running fine until I made some changes. The error I get is the following:
-----Error message:
Session state protection violation. This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
--End of error message.
This happens Whenever the page is submitted for process, e.g. when I select from a "LOV with Submit" item or when I click the "Save Changes" button. It is fine if the button redirects to another page. Using Debug, I saw that the error occurs right after "Fetch page attributes" and before "Fetch session state from database".
About the changes I made before this error first surfaced: nothing to do with session state protection and nothing I can think of that is related to session state protection. In fact, I did not specify any session state protection at any level at this stage. That is, all pages and items are unrestricted. I did add a javascript to the page which is invoked onChange of an item to update another item. I made the same changes (except for the Javascript) to another similar page which is still running fine.
I tried logging out of Apex (I am using OracleXE) and getting back on, the error still persists. I even shut down and restart the Apex database to no avail.
Can anyone point me to where it might be the cause of this problem? Thank your help and/or suggestions in advance.
Message was edited by:
muighi

Scott - I should have posted this question sooner! I wasted a whole day trying to figure this out. Thanks a lot, Scott. By the way, where can I find any documented known bugs in Apex?
--Candy

Session State Protection - Arguments must have Checksum - Help Required

Hi everyone,
I am using apex 4.0 and have set:
Session State Protection = True
Page Access Protection = Arguments must have checksum
Application Item Protection = Cecksum required - Session Level
Page Data Entry Item Protection = Cecksum required - Session Level
Page Display-Only Item Protection = Cecksum required - Session Level
On pages which contain a Interactive report the calls to other pages to update and or delete a record passing the PK of the record work OK.
I have set these as follows:
In the Interactive report LInk Colomn --> Link Attribute = onclick="new top.Ext.apex.PopupWindow( { url: this.href, title: 'Edit Classification Details', width: 530, height: 500, listeners: {'success': gReport.search} } ).show(); return false;"
Target = Page in this Application
Page = 302Item = P302_IDCLASS
Value = #IDCLASS#
Page Checksum = - User Default -
The problem is on the "Create new record" button which is located on the Interactive report page. I have defined the button as:
Button Attributes = onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:302::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
Action when button click = Redirect to Page in this Application
Page = 302
Clear Cache = 302
When I click the button I get the following message:
Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
If I change the Button attributes to be:
onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
It works OK, bu the page items are not clear.
Could someone please explaing to me what am I doing wrong so I understand my mistake ?
Thank you
Daniel

Here's an interesting situation. I have been having great results with the prepare_url function, until I needed to pass a column value from a report into a popup.
Originally, in the Column Link --> URL in the Report Attributes I had this. This worked great when there was no session state protection enabled.
javascript:popUp('f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#','450','375');When I enabled session state protection and changed the URL link to this
javascript:popUp('&VW_EVENT_LOG.','450','375');and then created an application item and computation in order to pass a checksum along
APEX_UTIL.PREPARE_URL (
p_url => 'f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#',
p_checksum_type => 3
);the checksum seems to get passed fine, but the column value for the EVENT_LOG_ID is being concatenated to the end of the checksum instead of being passed as the value for P17_EVENT_LOG_ID. I also noticed that the clear cache page (17) looks like it is also being attached to the beginning of P17_.., but I'm not sure if that's to be expected or not.
It took me a while to figure it out, but when I started looking at the error message closely, I could see that the checksum is identical except for the last two digits, which coincidentally are the same as the ID for this record.
The checksum computed on the request, clear cache, argument names,
and argument values (17P17_EVENT_LOG_ID [C6161B29B4C078F68DCF430133407754] ) did not match the checksum
passed into the show procedure (C6161B29B4C078F68DCF43013340775490). Any thoughts on how to pass a column value with a checksum to a popup window?
Thanks,
Joe

Session state protection violation: This may be caused by manual alteration of protected page item P300_name. If you are unsure what caused this error, please contact the application administrator for assistance.

HI ,
the application item is working fine previously. i did not change anything. it is giving error message on p300_name when i submit page
p300_name is text filed.
html form element attributes: disabled="disabled"
source used: always replace any existing value
source type :database columm
: per session
source value: name
default_value: g_name (global variable)
read only: always
read only attributes: name
Please help me to fix this error.
Thanks,

Check the Security attributes of the item, namely 'session state protection'
Similar attributes at page level

Interactive Report Download and Session State Protection

I have created an Interactive Report in an APEX application that I have enabled
session state protection for. The issue I am having is with the "Download"
functionality of the interactive report to a .csv file.
The URL created by selecting Download from the drop down (javascript:gReport.controls.download();)
is built or constructed without a checksum thus causing the error below.
Error
No checksum was provided to show processing for a page that
requires a checksum when one or more request, clear cache, or argument
values are passed as parameters.
The anchor tag containing the URL (/f?p=app_id:page:session_id:CSV:) is contained within
<div id="apexir_CONTROL_PANEL_DROP" class="drop_panel
clearfix" style="">
Running the following: Application Express 3.1.0.00.32 on Oracle Database 10g Enterprise Edition Release 10.2.0.3.0
Is there a way to add a checksum to this? OR does anyone have any ideas on how to work around this?
Edited by: Bryce Tuohy on Feb 26, 2009 10:08 AM

WORKAROUND:
1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
Enter the following for the ITEM
as the SOURCE_TYPE : PL/SQL Function Body
as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
2.) Create BUTTON that executes javascript to open POPUP window with this url.
a.) Create Button and enter
<a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')">Download and Save to CSV file</a>as the "Text Label/Alt"
Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

Possible to make an item editable for certain users and read only for other

Is it possible to make an item editable for certain users and read only for others?
I've been able to accomplish this by taken the select statement that I used to define an authorization scheme, placing it in the Read Only condition of the item. However, I would like to simply reference the authorization scheme to utilize caching, and to help keep things cleaner for future maintenance.
Is it possible to reference an authorization scheme in an item condition similar to the way another item can be referenced by preceding it with a colon (i.e. :P1_First_Name)?

Thank you, your suggestion worked.
It would be nice on a future release of APEX if a drop-down box existed under the Ready Only section that would allow an existing Authorization Scheme to be selected or negated when applying the Read Only attribute to a form item.

Report Print Attributes and Session State Protection

Hi all,
I have a report (old style Apex report, not an IR) that I would like to have a Print option, producing a PDF output.
The report is on a page that takes a number of arguments and uses the page security option "Arguments require checksum".
When I turn on the Enable Report Printing option in the report, the Print link appears at the bottom of the report. However, clicking Print leads to the following message:
"Error No checksum was provided to show processing for a page that requires a checksum when one or more request, clear cache, or argument values are passed as parameters."
Disabling Session State Protection for that page makes the report link work, but I would prefer not to do that.
How do I get the built-in report print option to generate the required checksum?
I'm using Apex 4.0.2.00.07, by the way.
Alex

WORKAROUND:
1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
Enter the following for the ITEM
as the SOURCE_TYPE : PL/SQL Function Body
as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
2.) Create BUTTON that executes javascript to open POPUP window with this url.
a.) Create Button and enter
<a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')">Download and Save to CSV file</a>as the "Text Label/Alt"
Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

Session State Protection invalid Checksum errors show valid checksum

Hi,
I am investigating Session Sate Prtection to let me make my appications more secure.
I have created a simple Report / Form pair that allows me to open an item for edditing.
I have set the Application to Session State Protection 'Enabled' and and my form page to Page Access Prtection 'Arguments Must Have Checksum'.
From my report page I click on the edit icon for a row and I get the edit page with the url:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1179&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
If I then manually manipulate this url, to change my P3_WORK_PACKAGE_ID from 1179 to 1180, to:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
I get an error of:
Error The checksum computed on the request, clear cache, argument names, and argument values (P3_WORK_PACKAGE_ID1180 [01BE394775DB7B5A861BEA77B6637A46] ) did not match the checksum passed into the show procedure (CC0C97D3A8B114D2E40EDF158C0AECFB).
All well and good, but it tells me what the checksum should be. I can now update the url to use the displayed checksum to make the url:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=301BE394775DB7B5A861BEA77B6637A46
the form opens for P3_WORK_PACKAGE_ID 1180.
How do I stop the error message telling my how to bypass the checksum security?
Thanks,
Martin

I am not sure but maybe this detailed message is coming if you are logged in to Apex and otherwise it is showing more general error message with no checksum?

Session State Protection Confusion!

Hello all,
I'm looking into SSP, and find it very confusing; there are so many ways to implement it, and I'm just not sure which I should choose.
I basically want to stop people tampering with the URL to change the values of variables and the like. I have currently enabled SSP for every page, which seems to work fine.
However, you can also do it for each item and application item; is this also necessary, or are these options only there if I only wanted to enable SSP for a very specific thing (item) rather than an entire page?
Does enabling SSP at page level protect the items (application and other) on that page in the same way enabling SSP for each of those items would do?
Also, are there any implications from using SSP? Will some things not work if I enable it in some instances?
Thanks for your help.
Robin

Robin,
These are all good questions.
What situations would arise when you'd want to use "No URL Access" for page access protection and "Restricted - May not be set from browser" for various item protections?
Sometimes you have pages that you would never want a user to "get to" unless they had used the navigation controls that you built into the application. For example, the intermediate steps within a wizard. You may have seen examples of this in the Application Builder as you step through wizards (and in other places) where you'll be on a page and in the URL all you see is ..wwv_flow.accept, with no f?p URL that tells you what page ID was requested. This is an example of a Branch to Page branch in use. This type of branch does not do a redirect to an f?p URL but instead has the engine's "accept" procedure (from the last page submission) call the engine's "show" procedure directly using PL/SQL without introducing a new HTTP request. So if you have pages like that and you use Branch to Page branches as the "normal" way to get to them AND you want to prevent users from specifying those page IDs in URLS, then this feature of Session State Protection is available to support that.
and how does the "Restricted - May not..." differ from the "Checksum Required - Session Level"; is that literally where a user can't alter the value of an item in the application, or is there more to it than that?
Restricted ... prevents an item from being altered from outside the application. The only way you can set or change these items is by application logic. This feature can be used for items even if Session State Protection is not enabled for the application.
Also, I can't understand just what user level and application level checksums would be useful for.
Normally, when SSP checksums are generated, they are good for the current session. Say you have a URL like:
f?p=100:55:ssssssss::NO::P1_ITEM,P2_ITEM:some-value-1,some-value2&cs=38DDFE1C102BDE167BCD66F4C2E77E16E
A curious user might say, oh, I think I'll bookmark that link and run it again tomorrow to set the same page items to the same values. Well that doesn't work because the checksum is session ID specific. This also makes the hashing algorithm more secure.
But sometimes you want to provide checksum-secured links that users can bookmark. Maybe you want to email a link to your application to a specific user and the link provides some key value that should be used by that specific user only (and you have authorization logic in the application to enforce that), like f?p...P10_USER_KEY:ABc568zz&cs=238DDFE1C102BDE167BCD66F4C2E77E16D. This is where the use of a User-Level checksum would be applicable. After the user clicks on the link and authenticates, the provided checksum can be verified against a new checksum computed on P10_USER_KEY:ABc568zz. These links can be used across sessions for this type of use but the checksum prevents alteration of the request arguments even by the intended user.
The third type of checksum is the Application-Level (or Workspace-Level) checksum. Links with this type of checksum can be used by any user so long as the requested application is really the same application from the same workspace that generated the link. The checksum prevents alteration of the request arguments by the user.
Scott

Session state protection violation

I turned on the session state protection on my application, the setting for Application Item, Page Data Entry Item and page display-only item are "checksum-required, application level". I want the URL to be shared by user in different sessions (for example bookmark). when I open two browsers (IE, Firefox) and login as same user, I copied/pasted url from one browser to another and received "Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum."
Did I misunderstand the intent usage of this feature? I also noticed that checksum generated by the system remains the same no matter what checksum level I set (application, user, session).
I am running APEX 3.1.0.00.32.

Cheng-Lu,
I didn't forget you, this was a very difficult problem to debug.
I think I have a workaround for you. I added a page process to your login page named "fix deep link item". This restores the value of FSP_AFTER_LOGIN_URL that gets passed to this login page and is supposed to be immediately saved in session state. Due to a bug, this value was getting truncated to "f" before it could be saved. The new page process looks at the current URL and uses the value there which is still intact and saves that value in session state. I tested it with your applications. Please let me know if this works. We'll make a proper fix in the 3.2 release.
So this was not a problem with session state protection but in the "f" procedure which parses argument names/argument values in f?p URLs. This gets tripped up when an argument value contains a pattern like &cs= which is first treated as an argument to the orignal "f" call and therefore is never seen as an argument value in the list of arguments.
I have some other observations about your applications. I see that they have code in the page sentry function attribute of the authentication scheme. The code you have in there is completely unnecessary and could actually make the application less secure. You should leave this attribute empty and let the default (built-in) page sentry do all the work.
Scott

Session State Protection breaks Cascading LOV.

Hi,
Whenever I turn Session State Protection on my application , with option 'Arguments Must Have Checksum' on the page level,
Items defined with a cascading LOV will not work. Once session state protection is on for the page, and I change the value of a parent
LOV, the Child Item LOV (defined with Cascading LOV) will not show any value and the 'round working icon' will just keep on going
and does not end, The Child/Cascading LOV seems to be just hanging and not return any values. This happens consistently (APEX 4.1.1.).
There are no threads existing for this behavior, would like to know if this is a known issue and if there is a fix.
Thanks,
Ramon

The documentation says, "If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit)." In practice, what this means (among other things) is that items that are identified as "Cascading LOV Parent Item(s)" must have "Session State Protection" set to "Unrestricted".

Session state protection and read-only items

Similar Messages

Maybe you are looking for