Plugnav: Access to session state

We have customised the horizontal dropdown scheme, and want to add an "Applications" dropdown, where each entry is a link to a citrix NFuse published application. (We want the user to access everything from the portal, even word, excel....).
I have the customised NFuse code to return my links, but retrieving these is slow, so I only want to do it the first time a user enters the portal session.
Does anyone know how can I store the link details in viewstate or session state (or any other way) so I can get my scheme to create the dropdown on subsequent refreshes without requerying the Citrix database.

Session data is accesible by the session, that why is "session scoped" (obviusly).
If you need to access such data from other session you can putting the bean in the application context.
Could you explain a little to undestand why you need that?
Regards,

Similar Messages

Session State Protection invalid Checksum errors show valid checksum

Hi,
I am investigating Session Sate Prtection to let me make my appications more secure.
I have created a simple Report / Form pair that allows me to open an item for edditing.
I have set the Application to Session State Protection 'Enabled' and and my form page to Page Access Prtection 'Arguments Must Have Checksum'.
From my report page I click on the edit icon for a row and I get the edit page with the url:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1179&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
If I then manually manipulate this url, to change my P3_WORK_PACKAGE_ID from 1179 to 1180, to:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
I get an error of:
Error The checksum computed on the request, clear cache, argument names, and argument values (P3_WORK_PACKAGE_ID1180 [01BE394775DB7B5A861BEA77B6637A46] ) did not match the checksum passed into the show procedure (CC0C97D3A8B114D2E40EDF158C0AECFB).
All well and good, but it tells me what the checksum should be. I can now update the url to use the displayed checksum to make the url:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=301BE394775DB7B5A861BEA77B6637A46
the form opens for P3_WORK_PACKAGE_ID 1180.
How do I stop the error message telling my how to bypass the checksum security?
Thanks,
Martin

I am not sure but maybe this detailed message is coming if you are logged in to Apex and otherwise it is showing more general error message with no checksum?

Query referencing session state not consistently returning data

Hi,
I have a form that summarizes expense data by category for employees, per fiscal year, fiscal period, and project.
Clicking on a button next to a particular category takes the user to a new page that should display the detail of those expenses, based on expense_code.
The expense_code is passed via URL to the second page, and the query region for the detail has the following source:
select exp_code, JRNL_ID_NO, DESCRIPTION, REFERENCE, CUR_PER_TRAN, CUM_YTD
from fgspec_ac where exp_code between :P118_EXPENSE_CODE_FROM and :P118_EXPENSE_CODE_TO and project=:P114_PROJECT and fis_year=:P114_FIS_YEAR and fis_period=:P114_FIS_PERIOD
:P118_EXPENSE_CODE_FROM and :P118_EXPENSE_CODE_TO are passed via URL, and the :P114_% fields reference data on the initial form.
The problem is that when I click on the button to bring up the detail for the first time, the query returns no rows. If I return to the original form and click on the button a second time, the query the displays the required data. This behavior is consistent, regardless of expense category, fiscal period, etc. The first time I try to access detail, no records returned, but the second time, it works.
I have used the 'SESSION' link to debug and view the session state in each case, and the results are IDENTICAL whether the query returns data or not. That is, all 5 variables contain the exact same data.
Do you know what I might be doing wrong?
Thanks,
Michelle

Hi guys,
Thanks very much for your replies. In fact, I have tried both methods. Yes, I am navigating from page 114 to 118, and passing values to page 118 from page 114 (ie: P114_PROJECT passes to P118_PROJECT, etc...). In my query, I have tried referencing both, with the same results.
When checking values in session state (by using the 'SESSION' link), values from page 114 are available in both cases (when the query returns rows and when it does not). It is very strange behavior.
I have been developing with HTMLDB for over a year now, and never seen anything like it!!! I will try loading this on HTMLDB.oracle.com, and see if it replicates, and if so, maybe you can have a look...............
Thanks!
Michelle

Referencing session state across DBLinks

I have a central security package that all applications access to provide item-level authorisation.
Recent extensions to the security model require additional information from the application, held in Application Items.
For various legacy reasons I want to avoid having to add additional parameters to the security functions called so I reference the application items via the V() function. This works perfectly on local applications (within the same database) but V() returns null values if the application is accessing the security function via a DB link.
So, is there any way to access session state from a PL/SQL package of an application that is not running on the same database?
Regards
Richard

Richard
Something along these lines might work. Say the remote package is named 'sec var'. At the remote db create 'sec_vas' as follows. create or replace package sec_vars is
var1 varchar2(100);   // new items needed by auth fn
var2 varchar2(100);
procedure setval (var1 in varchar2,var2 in varchar2); //sets var1/var2 with values from session state
function getval (var in varchar2) return varchar2;   // the local 'v' fn
function doAuth() return boolean;
end;
create or replace package body sec_vars is
procedure setval (var1 in varchar2,var2 in varchar2) is
begin
sec_vars.var1:='Variable 1';
sec_vars.var2 := 'variable 2';
end;
function getval (var in varchar2) return varchar2 is
begin
if upper(var)='VAR1' then
   return sec_vars.var1;
elsif upper(var)='VAR2' then
    return sec_vars.var2;
else
    return null;
end if;
end;
function doAuth() return boolean is
begin
select count(*) from emp where ename=sec_vars.get_val('VAR1'');
return true;
end;
end;And in the Apex db we do something like create synonym sec_vars for sec_vars@remote_db;
// an auth process
begin
sec_vars.setval ('Variable 1','variable 2'); // set required session item values
sec_vars.do_auth();
end;varad

Saving session state on authentication

Hey all...
In all my applications that interact with each other, I am running an application-level process on authentication which loads two preferences into applicaton-level items. I am seeing different results when jumping into different applications even though the executing code is the exact same in all applications, a stored procedure in the database. Here is a simplistic example.
When application A calls a page in application B, an "on authentication" application-level process of application B reads two preferences and appropriately populates them into two application-level items of application B. When application A (or B for that matter) calls application C, the same-coded application process in application C attempts to populate two application-level items, but one of them is not being populated.
It appears that the problem lies only with application C because regardless of whether I come from application A or application B, the same problem happens.
When I go from application A to application B in debug mode, I see the following in reference to this problem:
0.05: Computation point: ON_NEW_INSTANCE
0.05: ...New Session = True
0.05: Processing point: AFTER_AUTHENTICATION
0.05: ...Process "Setup Seed Data": PLSQL (AFTER_AUTHENTICATION)
1.11: ...Session State: Save Item "ORIGINAL_APP_ID" newValue="104" "escape_on_input="Y"
1.11: ...Session State: Save Item "ORIGINAL_PAGE_ID" newValue="7" "escape_on_input="Y"
When I go from either application A or application B to application C, I see the same debug messages except for an additional line that doesn't make sense to me. Following is an example:
0.05: Computation point: ON_NEW_INSTANCE
0.05: ...New Session = True
0.05: Processing point: AFTER_AUTHENTICATION
0.05: ...Process "Setup Seed Data": PLSQL (AFTER_AUTHENTICATION)
1.11: ...Session State: Save Item "ORIGINAL_APP_ID" newValue="104" "escape_on_input="Y"
1.11: ...Session State: Save Item "ORIGINAL_PAGE_ID" newValue="7" "escape_on_input="Y"
<strong>1.11: ...Session State: Saved Item "ORIGINAL_APP_ID" New Value=""</strong>
In all three applications, the exact same code is being run which determines if the preferences "is not null", and if so, sets the two preferences in the "current" application. I'm happy to show you the code of my stored procedure that does this if you like.
The only thread I've seen in the forum that looks similar is the following:
Re: Session state issues
I've followed its suggestion of deleting and recreating the application-level item, but that did not solve my problem.
I'm confused as to why the new line indicating "Saved Item" is showing up in the application C. Is there documentation available to explain the difference between "Save Item" and "Saved Item" when running a page in debug mode?
Shane.

Here are the different componets that are in play and some notes that may help understand the situation:
- the failure happened when the two application-level processes below were just one process. works fine when they are split up.
- the trick of using the SESSION as the USER_ID is because I want the preference to only be good for the session, not everytime the user logs in. ( i learned this trick from the ApEx forum! )
- the stored procedure is in a package owned by a separate schema than the built-in ApEx user.
On-Authentication Application-Level process with Sequence 10:
begin
:person_id := iv_portal.iv_emp_pkg.get_person_id ( v('USER') );
apex_util.set_session_state ( 'PERSON_ID', :person_id );
:core_app_id := iv_htmldb.iv_gen_pkg.get_core_app_id;
apex_util.set_session_state ( 'CORE_APP_ID', :core_app_id );
:user_vax_id :=
substr ( iv_portal.iv_emp_pkg.get_vaxsub_id ( :person_id ), 1, 6 );
apex_util.set_session_state ( 'USER_VAX_ID', :user_vax_id );
:user_sub_id :=
substr ( iv_portal.iv_emp_pkg.get_vaxsub_id ( :person_id ), 7, 1 );
apex_util.set_session_state ( 'USER_SUB_ID', :user_sub_id );
:proxy_person_id := apex_application.fetch_app_item
( 'PROXY_PERSON_ID', :original_app_id );
apex_util.set_session_state ( 'PROXY_PERSON_ID', :proxy_person_id );
end;
On-Authentication Application-Level process with Sequence 15:
declare
l_username varchar2(50) := v('SESSION');
begin
iv_htmldb.iv_gen_pkg.setup_homepage_preferences ( l_username );
end;
SETUP_HOMEPAGE_PREFERENCES Stored Procedure
procedure setup_homepage_preferences ( l_username in varchar2 ) is
l_app_id varchar2(5) := v('APP_ID');
l_page_id varchar2(5) := v('APP_PAGE_ID');
l_pref_app_id varchar2(5) := null;
l_pref_page_id varchar2(5) := null;
begin
-- clean up old sessions
-- cannot do this however due to lack of access to the ApEx tables.
delete from flows_020200.wwv_flow_preferences$ p
where user_id != v('SESSION' )
and user_id in ( select to_char ( id )
from flows_020200.wwv_flow_sessions$ s
where s.cookie = v('USER')
and s.last_changed < sysdate - ( 0.5 ) );
commit;
if apex_util.get_preference ( 'ORIGINAL_APP_ID', l_username ) is null
then -- then set the preference to the current application and page.
apex_application.debug ( 'setting the ORIGINAL application items.' );
apex_util.set_preference ( 'ORIGINAL_APP_ID', l_app_id,
l_username );
apex_util.set_preference ( 'ORIGINAL_PAGE_ID', l_page_id,
l_username );
else null;
end if;
-- set the application level items to the preference values
l_pref_app_id := apex_util.get_preference ( 'ORIGINAL_APP_ID', l_username );
l_pref_page_id := apex_util.get_preference ( 'ORIGINAL_PAGE_ID', l_username );
apex_application.debug ( 'about to set ORIGINAL APP ID to ' || l_pref_app_id );
apex_util.set_session_state ( 'ORIGINAL_APP_ID', l_pref_app_id );
apex_application.debug ( 'just set ORIGINAL APP ID to ' ||
apex_util.get_session_state ( 'ORIGINAL_APP_ID' ) );
apex_application.debug ( 'about to set ORIGINAL PAGE ID to ' || l_pref_page_id );
apex_util.set_session_state ( 'ORIGINAL_PAGE_ID', l_pref_page_id );
apex_application.debug ( 'just set ORIGINAL PAGE ID to ' ||
apex_util.get_session_state ( 'ORIGINAL_PAGE_ID' ) );
end setup_homepage_preferences;
Shane.

Session State Protection Confusion!

Hello all,
I'm looking into SSP, and find it very confusing; there are so many ways to implement it, and I'm just not sure which I should choose.
I basically want to stop people tampering with the URL to change the values of variables and the like. I have currently enabled SSP for every page, which seems to work fine.
However, you can also do it for each item and application item; is this also necessary, or are these options only there if I only wanted to enable SSP for a very specific thing (item) rather than an entire page?
Does enabling SSP at page level protect the items (application and other) on that page in the same way enabling SSP for each of those items would do?
Also, are there any implications from using SSP? Will some things not work if I enable it in some instances?
Thanks for your help.
Robin

Robin,
These are all good questions.
What situations would arise when you'd want to use "No URL Access" for page access protection and "Restricted - May not be set from browser" for various item protections?
Sometimes you have pages that you would never want a user to "get to" unless they had used the navigation controls that you built into the application. For example, the intermediate steps within a wizard. You may have seen examples of this in the Application Builder as you step through wizards (and in other places) where you'll be on a page and in the URL all you see is ..wwv_flow.accept, with no f?p URL that tells you what page ID was requested. This is an example of a Branch to Page branch in use. This type of branch does not do a redirect to an f?p URL but instead has the engine's "accept" procedure (from the last page submission) call the engine's "show" procedure directly using PL/SQL without introducing a new HTTP request. So if you have pages like that and you use Branch to Page branches as the "normal" way to get to them AND you want to prevent users from specifying those page IDs in URLS, then this feature of Session State Protection is available to support that.
and how does the "Restricted - May not..." differ from the "Checksum Required - Session Level"; is that literally where a user can't alter the value of an item in the application, or is there more to it than that?
Restricted ... prevents an item from being altered from outside the application. The only way you can set or change these items is by application logic. This feature can be used for items even if Session State Protection is not enabled for the application.
Also, I can't understand just what user level and application level checksums would be useful for.
Normally, when SSP checksums are generated, they are good for the current session. Say you have a URL like:
f?p=100:55:ssssssss::NO::P1_ITEM,P2_ITEM:some-value-1,some-value2&cs=38DDFE1C102BDE167BCD66F4C2E77E16E
A curious user might say, oh, I think I'll bookmark that link and run it again tomorrow to set the same page items to the same values. Well that doesn't work because the checksum is session ID specific. This also makes the hashing algorithm more secure.
But sometimes you want to provide checksum-secured links that users can bookmark. Maybe you want to email a link to your application to a specific user and the link provides some key value that should be used by that specific user only (and you have authorization logic in the application to enforce that), like f?p...P10_USER_KEY:ABc568zz&cs=238DDFE1C102BDE167BCD66F4C2E77E16D. This is where the use of a User-Level checksum would be applicable. After the user clicks on the link and authenticates, the provided checksum can be verified against a new checksum computed on P10_USER_KEY:ABc568zz. These links can be used across sessions for this type of use but the checksum prevents alteration of the request arguments even by the intended user.
The third type of checksum is the Application-Level (or Workspace-Level) checksum. Links with this type of checksum can be used by any user so long as the requested application is really the same application from the same workspace that generated the link. The checksum prevents alteration of the request arguments by the user.
Scott

Session State "Status"

I was tickled pink -- now you know I'm being facetious -- to see there was documentation on Session State Status. (Gotta love all those "S".)
http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/concepts_ses.htm
The session states are: Inserted, Updated and Reset. Isn't that fantastic! And probably even correct. But ... Wait for it ...! Wait for it ...!
Ahhh! I can't find any Oracle APEX documentation explaining: Inserted / Updated / Reset! What does "inserted" mean? How is "updated" different? "Reset" "how"? Reset to "what"?
The answer(s) may be obvious ... if you already know it. The rest of us can only wonder, I suppose.
So, are the definitions documented somewhere? If it's in a blog, I can't access blogs from work but I can when I get home tonight.
Thanks for reading,
Howard

For a given page or application item:
Inserted - The value is stored in the session state table for the first time in the session.
Updated - The value that was already in the session state table acquires a new value.
Reset - The value that was already in the session state table is changed to null by way of a clear-cache event.
Scott

Session state and PDF building

Trying to get a application report to use a few variables in a report being built from APEX. I have gone through and built the application report and SQL, I clicked on 3 items that are in session state, to push them through to the XML file being produced.
However, when I open that xml file I find the following:
<P167_END_DTE></P167_END_DTE>
<P167_FACILITES></P167_FACILITES>
<P167_START_DTE></P167_START_DTE>
The 3 session items are NOT returning values to the XML file produced. Is there a possibility I have missed something?
Using Apex 3.0.... I have selected the Advance XML structure (to include session information)
Please advise..
Thank you,
Tony Miller
UTMB/EHN

Tony & Costantino:
When downloading the XML you don't have access to the session state of your application. Only when running you application will the underlying XML structure actually be populated with your session state values. So it's expected that your session state item XML tags do not have any values at design time / when creating the report query. They're just there so that you can pick them up with the BI Publisher Word-Plug-In and place them in your RTF template. For that you don't need values.
Regards,
Marc

Session State Replication of Referenced Objects

Here is question on Clustering and Session state replication:
          Scenario:
          Consider two Session Objects A and B.
          Object A has-a reference to object B.
          So whatever changes done to Object B is reflected in Object A.
          In-memory Session replication happens on every HttpSession.setAttribute() call.
          The question is will the two session objects(A and B) be replicated to the other cluster and will still maintain the reference relationship or will they be two separate objects with same data (in different memory locations).
          regards,
          Jaiganesh

Ok, I have been meaning to dig into session replication in a bit more detail and your question is a good excuse to do it!
          First stop the docs:
          Bea Docs
          The bits that jump out are under:
          Programming Considerations for Clustered Servlets and JSPs
          1) Session Data Must Be Serializable, so both your objects are serializable.
          2) Use setAttribute to Change Session State In an HTTP servlet that implements javax.servlet.http.HttpSession, use HttpSession.setAttribute (which replaces the deprecated putValue) to change attributes in a session object. If you set attributes in a session object with setAttribute, the object and its attributes are replicated in a cluster using in-memory replication. If you use other set methods to change objects within a session, WebLogic Server does not replicate those changes. Every time a change is made to an object that is in the session, setAttribute() should be called to update that object across the cluster.
          Likewise, use removeAttribute (which, in turn, replaces the deprecated removeValue) to remove an attribute from a session object.
          >Will the reference as shown in the step 3 will be >maintained after replication on the other cluster ?? I >guess not!!
          I don't understand "on the other cluster" There is normally one cluster made up of a few servers. The session state is maintained on one primary server and a secondary server. So you have aObj.a2 = bObj, from the docs I would understand that at the momment you called session.setAttribute the aObj and all its fields provided they are seriliazable will be replicated in Mememory.
          >There the aObj and bObj stored in the two different >session objects will not have a reference relationship >in other words if i change bObj on the other cluster >will the reference a2 of aObj be able see it ??
          This is testing the limits of my understanding, but would have thought if the objects are in different sessions they should not be able to reference each other in the manner I think you are suggesting, so if I access aObj.a2 (an instance of bObj) and changed it in one session it should not affet any other bObj unless bObj is a singleton....I think!
          What say you?

How to use session state protection

I use Apex 3.2.1
I access my site by a url passing a parameter like this : f?p=101:1:0::::ITEM1:1234567. There is no login and password to access the site.
The value of the parameter ITEM1 is the authorization of the first page, with a database function for the verification.
To secure my site I want to use session state protection so, I enabled it , then I defined "Arguments Must have checksum" for the page 1.
Now , when i try to acces my site with the same url it does not work.
it is the first time a try to use session state protection, could someone tell me what's wrong?

Hi user5719906,
I would suggest that as you need to pass an item and are unable to generate a checksum as you are not yet logged in, that you will need to allow arguments without checksum for this page.
This could be a bit of a hole in your security, but as long as you know it is there and clear the cache for all pages that you branch to, you should be able work around it.
The issue is that a malicious user can set page and application items via the url to an unsecured page.
Regards
Michael

Session State Protection - Arguments must have Checksum - Help Required

Hi everyone,
I am using apex 4.0 and have set:
Session State Protection = True
Page Access Protection = Arguments must have checksum
Application Item Protection = Cecksum required - Session Level
Page Data Entry Item Protection = Cecksum required - Session Level
Page Display-Only Item Protection = Cecksum required - Session Level
On pages which contain a Interactive report the calls to other pages to update and or delete a record passing the PK of the record work OK.
I have set these as follows:
In the Interactive report LInk Colomn --> Link Attribute = onclick="new top.Ext.apex.PopupWindow( { url: this.href, title: 'Edit Classification Details', width: 530, height: 500, listeners: {'success': gReport.search} } ).show(); return false;"
Target = Page in this Application
Page = 302Item = P302_IDCLASS
Value = #IDCLASS#
Page Checksum = - User Default -
The problem is on the "Create new record" button which is located on the Interactive report page. I have defined the button as:
Button Attributes = onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:302::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
Action when button click = Redirect to Page in this Application
Page = 302
Clear Cache = 302
When I click the button I get the following message:
Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
If I change the Button attributes to be:
onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
It works OK, bu the page items are not clear.
Could someone please explaing to me what am I doing wrong so I understand my mistake ?
Thank you
Daniel

Here's an interesting situation. I have been having great results with the prepare_url function, until I needed to pass a column value from a report into a popup.
Originally, in the Column Link --> URL in the Report Attributes I had this. This worked great when there was no session state protection enabled.
javascript:popUp('f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#','450','375');When I enabled session state protection and changed the URL link to this
javascript:popUp('&VW_EVENT_LOG.','450','375');and then created an application item and computation in order to pass a checksum along
APEX_UTIL.PREPARE_URL (
p_url => 'f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#',
p_checksum_type => 3
);the checksum seems to get passed fine, but the column value for the EVENT_LOG_ID is being concatenated to the end of the checksum instead of being passed as the value for P17_EVENT_LOG_ID. I also noticed that the clear cache page (17) looks like it is also being attached to the beginning of P17_.., but I'm not sure if that's to be expected or not.
It took me a while to figure it out, but when I started looking at the error message closely, I could see that the checksum is identical except for the last two digits, which coincidentally are the same as the ID for this record.
The checksum computed on the request, clear cache, argument names,
and argument values (17P17_EVENT_LOG_ID [C6161B29B4C078F68DCF430133407754] ) did not match the checksum
passed into the show procedure (C6161B29B4C078F68DCF43013340775490). Any thoughts on how to pass a column value with a checksum to a popup window?
Thanks,
Joe

Session State Protection

This is a spinoff of another thread in which Scott Spadafore was teaching how to effectively escape user-supplied data. This will be about Session State Protection in 2.0.
I had asked Scott, "if I simply select the Restricted setting on this feature for every single item in my application, is that sufficient to protect me from URL tampering?"
Scott replied: "No. First, you can't use that setting for POSTable items. Second, you need to pass item values via URL within your app, I assume, so the restricted setting is, er, too restrictive."
OK, digging into the user guide I see that the first step is to enable session state protection. I drill down: Application -> Shared Components -> Session State Protection -> Set Protection.
Now I click Enable and then on the next screen Enable Session State Protection. I assume I have accepted all of the default settings on the Configure page:
Page Access Protection - Arguments Must Have Checksum
Application Item Protection - Checksum Required - Session Level
Page Data Entry Item Protection - Checksum Required - Session Level
Page Display-Only Item Protection - Checksum Required - Session Level
Is it safe to say that you will generally want Session Level Checksums? The help says, "Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session." I can't really think of why I wouldn't want this.
Once I have clicked Enable Session State Protection, have I accomplished anything or am I just getting started?
For a live application, I am putting my application at risk at all by doing this? Has the Session State Protection had any issues that might negatively impact my live application? If I find there are any, can I disable it and be back where I started without any complications?
Thanks, Scott.
Bill
Message was edited by:
jkestely

Is it safe to say that you will generally want Session Level Checksums? ... I can't really think of why I wouldn't want this.Yes. The other types are for allowing users to bookmark URLs that contain checksums, either for their own use in later sessions in which they are authenticated to the same application or for use by unauthenticated users to the same application.
Once I have clicked Enable Session State Protection, have I accomplished anything or am I just getting started?That's most of it. If your dynamic regions produce links to pages and those pages require checksums, you need to change the link-generation code to use htmldb_util.prepare_url.
For a live application, I am putting my application at risk at all by doing this?Yes, changes to live applications result in disaster most of the time in my experience.
Has the Session State Protection had any issues that might negatively impact my live application?There is a bug that prevents sortable report heading links from being used on pages that require checksums. The bug is fixed in 2.1, but for 2.0 you need to not use that combination.
If I find there are any, can I disable it and be back where I started without any complications?Yes, in fact all you have to do is disable the feature at the application level, leaving page and item attributes as they are.
Scott

SSP broke my LOV :-( - Session State Protection Issue

Hi Folks.
I'm tinkering with SSP on my application.
Here's the challenge du jour.
If I enable SSP across the entire application I can't even log in. That was resolved by setting the login page to 'Unrestricted'. not sure of the security implication of doing that but bear with me.
My main Issue is this.
I am using Patrick's APEXLIB for Cascading LOV functionality.
My Parent LOV works fine.
My Child LOV is blank.
I have modified everything on the page to 'Unrestricted' and still I end up with a blank child LOV.
Any ideas how to skin this cat?
Many thanks
Simon

OK so here's how i 'fixed' this issue. I say fixed but I would welcome any comments regarding the security impact of the 'fix' I came up with.
First of all I enabled SSP across the entire application
Page Access Protection = Arguments Must have Checksum
Application Item Protection = Checksum required - Session level
Page Data Entry Item Protection = Checksum required - Session level
Page Display-Only Item Protection = Checksum required - Session level
This had the desired effect of applying these settings to everything.
Having done that I needed to update the SSP to Patrick Wolf's Application Items in the following way...
APEXLIB_REFERENCE_ID = Unrestricted
APEXLIB_REFERENCE_TYPE = Unrestricted
As a side note, I noticed that the Application Item FSP_AFTER_LOGIN_URL was also set to Unrestricted. I guess this is enforced by APEX to allow successful login to the application. All other application items were set to Checksum Required - Session Level as per the cross-application configuration I had initially done.
Finally I had to review the pages that had the cascading LOVs that no longer functioned. For these pages I had to set the "Item Session State Protection" to Unrestricted for the poll down LOVs used in the Cascading LOV process. Parent LOVs and Child LOVs.
The end result is that I have pretty tight SSP enabled across the entire application. The only areas where it is 'Unrestricted' are some of the cascading LOVs.
I would be very interested to hear from anyone who would care to comment on the security weaknesses this approach may have created.
I will update this thread if the SSP enabling has affected anything else in the application. So far though, it's only the Cascading LOVs.
Kind regards
Simon Gadd

Can we access the session scoped variable by simply using its name

The Java EE 6 Tutorial contains a "Duke's Bookstore Case Study Example”. I could not understand following statements of this case study:
*bookdetails.xhtml*
{code}
<h:outputText value="#{selected.title}"/>
{code}
*BookstoreBean.java*
{code}
public String details() {
context()
.getExternalContext()
.getSessionMap()
.put(
"selected",
getFeatured());
return ("bookdetails");
{code}
I want to know can we access the session scoped variable in bookdetails.xhtml by simply using its name as done above?

It is basic Expression Language (EL) functionality, it isn't even specific to JSF. And it isn't specific to the session scope either, you can put beans in any scope (page, request, session, application, flash, conversation, whatever custom scope you create) and reference it using EL by only its name. The thing that you have to take care of is that the bean lives in SOME scope, which can be achieved using JSF specific annotations or configuration files, through CDI or by manually putting the bean in a specific scope through Java code. It's flexible, which is the nature of the Java platform.

ORA-29549: class hlpr_pdf_list_java has changed, Java session state cleared

looks like this the simple program.... but i am getting that error
SQL> create or replace and compile java source named "hlpr_pdf_list_java" as
2 import java.io.*;
3 import java.util.*;
4 import java.util.zip.*;
5 import java.text.*;
6 import java.lang.*;
7 import java.sql.*;
8
9 class hlpr_pdf_list_java
10 {
11 public static String hlpr_pdf_list_java(String dirname) throws Exception
12 {
13 Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
14 Connection con = DriverManager.getConnection("jdbc:odbc:hlpr_dsn", "hlpr", "hlpr");
15 Statement stmt = con.createStatement();
16
17 String retval=null;
18 File dir = new File(dirname);
19 String[] files = dir.list();
20 if (files!=null)
21 {
22 for (int i=0;i<files.length;i++)
23 {
24 retval = files;
25 stmt.executeUpdate("insert into hlpr_dir_list(dir_name,file_name) values(dirname,retval)");
26 }
27 }
28 return retval;
29 }
30 }
31 /
Java created.
SQL>
SQL> CREATE OR REPLACE function hlpr_getfilesindir_fn(p_long_path_dir_name varchar2) return varchar2
2 as language java name 'hlpr_pdf_list_java.hlpr_pdf_list_java(java.lang.String) return java.lang.String';
3 /
Function created.
SQL>
SQL> select hlpr_getfilesindir_fn('/d01/oradata/atlanta_gi/2007_10_1_12_31') from dual;
select hlpr_getfilesindir_fn('/d01/oradata/atlanta_gi/2007_10_1_12_31') from dua
l
ERROR at line 1:
ORA-29549: class HLPR.hlpr_pdf_list_java has changed, Java session state cleared
SQL>
any clues?

Hi,
Please from now own put this exact tag => (So that's: four characters, forming the word 'code' between curly brackets)
before and after your examples. That way your indentation and formatting remains intact and we will be able to read and understand faster what's going on.
ORA-29549: class HLPR.hlpr_pdf_list_java has changed, Java session state cleared
any clues?
Probably all you need to do is call your function once more or reconnect.
http://download.oracle.com/docs/cd/B19306_01/server.102/b14219/e29250.htm#sthref8038
+edit+
Also let us know if you've got access to MetaLink/MyOracleSupport
Edited by: hoek on Aug 24, 2009 9:23 PM

Plugnav: Access to session state

Similar Messages

Maybe you are looking for