Problems With Session State Protection

I have enables SSP on one of my applications and everyting seemed ok until I reached a page with a custom pop up page.
I use this code in my page header
{} used to display code
{<script language="JavaScript1.1" type="text/javascript">
function callMyPopupRank (formItem1,formItem2) {
var formVal1 = document.getElementById(formItem1).value;
var formVal2 = document.getElementById(formItem2).value;
var url;
url = 'f?p=&APP_ID.:115:&APP_SESSION.::::P115_RANK,P115_RANK_ID:' + formVal1;
w = open(url,"winLov","Scrollbars=1,resizable=1,width=400,height=630");
if (w.opener == null)
w.opener = self;
w.focus();
</script>}
Then I call it from post element text of an item
{<img src="#IMAGE_PREFIX#edit-white.gif" border="0" alt="Edit">}
When my pop up page opens I get this error
Attempt to save item P115_RANK in session state during show processing.
Item protection level indicates "Item may be set when accompanied by a "session" checksum.".
No checksum was passed in or the checksum passed in would be suitable for an
item with protection level "(No checksum was provided)".
How do I append the checksum to my url ?
Thanks
Gus
Edited by: Gus C on Jan 8, 2010 1:50 AM
Edited by: Gus C on Jan 8, 2010 1:52 AM

You will need to use the APEX_UTIL.PREPARE_URL function to append the checksum to the URL. I would suggest you use a hidden page item to hold the URL and then reference it in your JS.
I hope that helps
Shunt

Similar Messages

  • Session state protection violation

    I turned on the session state protection on my application, the setting for Application Item, Page Data Entry Item and page display-only item are "checksum-required, application level". I want the URL to be shared by user in different sessions (for example bookmark). when I open two browsers (IE, Firefox) and login as same user, I copied/pasted url from one browser to another and received "Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum."
    Did I misunderstand the intent usage of this feature? I also noticed that checksum generated by the system remains the same no matter what checksum level I set (application, user, session).
    I am running APEX 3.1.0.00.32.

    Cheng-Lu,
    I didn't forget you, this was a very difficult problem to debug.
    I think I have a workaround for you. I added a page process to your login page named "fix deep link item". This restores the value of FSP_AFTER_LOGIN_URL that gets passed to this login page and is supposed to be immediately saved in session state. Due to a bug, this value was getting truncated to "f" before it could be saved. The new page process looks at the current URL and uses the value there which is still intact and saves that value in session state. I tested it with your applications. Please let me know if this works. We'll make a proper fix in the 3.2 release.
    So this was not a problem with session state protection but in the "f" procedure which parses argument names/argument values in f?p URLs. This gets tripped up when an argument value contains a pattern like &cs= which is first treated as an argument to the orignal "f" call and therefore is never seen as an argument value in the list of arguments.
    I have some other observations about your applications. I see that they have code in the page sentry function attribute of the authentication scheme. The code you have in there is completely unnecessary and could actually make the application less secure. You should leave this attribute empty and let the default (built-in) page sentry do all the work.
    Scott

  • Session State Protection Violation error

    I am developing my first Apex application. I have this page which has been running fine until I made some changes. The error I get is the following:
    -----Error message:
    Session state protection violation. This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
    --End of error message.
    This happens Whenever the page is submitted for process, e.g. when I select from a "LOV with Submit" item or when I click the "Save Changes" button. It is fine if the button redirects to another page. Using Debug, I saw that the error occurs right after "Fetch page attributes" and before "Fetch session state from database".
    About the changes I made before this error first surfaced: nothing to do with session state protection and nothing I can think of that is related to session state protection. In fact, I did not specify any session state protection at any level at this stage. That is, all pages and items are unrestricted. I did add a javascript to the page which is invoked onChange of an item to update another item. I made the same changes (except for the Javascript) to another similar page which is still running fine.
    I tried logging out of Apex (I am using OracleXE) and getting back on, the error still persists. I even shut down and restart the Apex database to no avail.
    Can anyone point me to where it might be the cause of this problem? Thank your help and/or suggestions in advance.
    Message was edited by:
    muighi

    Scott - I should have posted this question sooner! I wasted a whole day trying to figure this out. Thanks a lot, Scott. By the way, where can I find any documented known bugs in Apex?
    --Candy                                                                                                                                                                                                                                                                                                                                                                                                               

  • Problem since upgrade to 2.0 "Error: Session state protection violation"

    I've upgraded to 2.0. Everything fine except one particular page when I submit it I get "Error: Session state protection violation". I have read up about session state protection, and it is turned off in my application. There are no items, pages or URLs that have any session state protection. There is nothing particularly different about this screen when compared to other screens that work. What can be causing this?
    Steve

    Steve - Thanks for putting that test case out there. This is an odd bug. It happens when you apply the read-only attribute to a "Display as Text (does not save state)" item. Normally, these items are not HTML input items on the page (you see only the value rendered). However, because of a bug, applying the read-only attribute causes an INPUT item to be created. This leads to the problem that you saw -- when an item that should never be POSTed because it is: a) an application item, b) a page item that has the Session State Protection attribute "Restricted - May not be set from browser", or c) a page item of display type "Display as Text (does not save state)", is POSTed, the Session State Protection violation is detected and reported. These checks are performed whether the Session State Protection feature is enabled for the application or not. The reason for that is that checking for cases(a) and (c) is always legitimate and checking for case (b) is always necessary because the Restricted attribute for page items of qualifying display types is always in effect.
    So the workaround in your case is not to use the read-only attribute for the display-only items. They are read-only anyway.
    Thanks again for pointing this out.
    Scott

  • Session state protection disables running of pages without argument

    Hi all,
    Shared Components=>Security=>Authentication Schemes=>Application Express - Current
    I did the folowwing steps :
    Shared Components=>Security=>Session State Protection=> Set Protection button
    in the folowwing screen press Enable followed by next
    in the next screen Press the Enable Session State Protections
    in the page Shared Components>Session State Protection>Session State Protection by Page
    both page 0 and 1 are unrestricted
    stil I can't run my app
    page 1 error :
    No checksum was provided to show processing for a page that requires a checksum when one or
    more request, clear cache, or argument values are passed as parameters.
    page 0 and 1 have no items
    page 1 has one region of type list
    and uses the list found on page 0 but uses a list template override od Pull Down Menu with
    Image the same list on page 0 has a list template of DHTML Menu with Sublist
    I am at a loss the nly solutions is to put session state protection off all together
    please help
    Kr
    Martin

    No problems if you run the app directly likes so :
    http://apex.oracle.com/pls/otn/f?p=29691:1
    when you login through apex.oracle.com
    WS : martijnke
    login guest
    passw : apex_demo
    then the error occurs
    it seems that from the buikder I can't run any page that does not have any parameters
    even if I make those pages unrestricted
    Martin

  • Session State Protection - Arguments must have Checksum - Help Required

    Hi everyone,
    I am using apex 4.0 and have set:
    Session State Protection = True
    Page Access Protection = Arguments must have checksum
    Application Item Protection = Cecksum required - Session Level
    Page Data Entry Item Protection = Cecksum required - Session Level
    Page Display-Only Item Protection = Cecksum required - Session Level
    On pages which contain a Interactive report the calls to other pages to update and or delete a record passing the PK of the record work OK.
    I have set these as follows:
    In the Interactive report LInk Colomn --> Link Attribute = onclick="new top.Ext.apex.PopupWindow( { url: this.href, title: 'Edit Classification Details', width: 530, height: 500, listeners: {'success': gReport.search} } ).show(); return false;"
    Target = Page in this Application
    Page = 302Item = P302_IDCLASS
    Value = #IDCLASS#
    Page Checksum = - User Default -
    The problem is on the "Create new record" button which is located on the Interactive report page. I have defined the button as:
    Button Attributes = onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:302::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
    Action when button click = Redirect to Page in this Application
    Page = 302
    Clear Cache = 302
    When I click the button I get the following message:
    Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
    If I change the Button attributes to be:
    onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
    It works OK, bu the page items are not clear.
    Could someone please explaing to me what am I doing wrong so I understand my mistake ?
    Thank you
    Daniel

    Here's an interesting situation. I have been having great results with the prepare_url function, until I needed to pass a column value from a report into a popup.
    Originally, in the Column Link --> URL in the Report Attributes I had this. This worked great when there was no session state protection enabled.
    javascript:popUp('f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#','450','375');When I enabled session state protection and changed the URL link to this
    javascript:popUp('&VW_EVENT_LOG.','450','375');and then created an application item and computation in order to pass a checksum along
    APEX_UTIL.PREPARE_URL (
      p_url => 'f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#',
      p_checksum_type => 3
    );the checksum seems to get passed fine, but the column value for the EVENT_LOG_ID is being concatenated to the end of the checksum instead of being passed as the value for P17_EVENT_LOG_ID. I also noticed that the clear cache page (17) looks like it is also being attached to the beginning of P17_.., but I'm not sure if that's to be expected or not.
    It took me a while to figure it out, but when I started looking at the error message closely, I could see that the checksum is identical except for the last two digits, which coincidentally are the same as the ID for this record.
    The checksum computed on the request, clear cache, argument names,
    and argument values (17P17_EVENT_LOG_ID [C6161B29B4C078F68DCF430133407754] ) did not match the checksum
    passed into the show procedure (C6161B29B4C078F68DCF43013340775490). Any thoughts on how to pass a column value with a checksum to a popup window?
    Thanks,
    Joe

  • Interactive Report Download and Session State Protection

    I have created an Interactive Report in an APEX application that I have enabled
    session state protection for. The issue I am having is with the "Download"
    functionality of the interactive report to a .csv file.
    The URL created by selecting Download from the drop down (javascript:gReport.controls.download();)
    is built or constructed without a checksum thus causing the error below.
    Error
    No checksum was provided to show processing for a page that
    requires a checksum when one or more request, clear cache, or argument
    values are passed as parameters.
    The anchor tag containing the URL (/f?p=app_id:page:session_id:CSV:) is contained within
    &lt;div id="apexir_CONTROL_PANEL_DROP" class="drop_panel
    clearfix" style=""&gt;
    Running the following: Application Express 3.1.0.00.32 on Oracle Database 10g Enterprise Edition Release 10.2.0.3.0
    Is there a way to add a checksum to this? OR does anyone have any ideas on how to work around this?
    Edited by: Bryce Tuohy on Feb 26, 2009 10:08 AM

    WORKAROUND:
    1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
    Enter the following for the ITEM
    as the SOURCE_TYPE : PL/SQL Function Body
    as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
    2.) Create BUTTON that executes javascript to open POPUP window with this url.
    a.) Create Button and enter
    &lt;a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')"&gt;Download and Save to CSV file&lt;/a&gt;as the "Text Label/Alt"
    Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
    Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

  • Session State Protection invalid Checksum errors show valid checksum

    Hi,
    I am investigating Session Sate Prtection to let me make my appications more secure.
    I have created a simple Report / Form pair that allows me to open an item for edditing.
    I have set the Application to Session State Protection 'Enabled' and and my form page to Page Access Prtection 'Arguments Must Have Checksum'.
    From my report page I click on the edit icon for a row and I get the edit page with the url:
    f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1179&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
    If I then manually manipulate this url, to change my P3_WORK_PACKAGE_ID from 1179 to 1180, to:
    f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
    I get an error of:
    Error The checksum computed on the request, clear cache, argument names, and argument values (P3_WORK_PACKAGE_ID1180 [01BE394775DB7B5A861BEA77B6637A46] ) did not match the checksum passed into the show procedure (CC0C97D3A8B114D2E40EDF158C0AECFB).
    All well and good, but it tells me what the checksum should be. I can now update the url to use the displayed checksum to make the url:
    f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=301BE394775DB7B5A861BEA77B6637A46
    the form opens for P3_WORK_PACKAGE_ID 1180.
    How do I stop the error message telling my how to bypass the checksum security?
    Thanks,
    Martin

    I am not sure but maybe this detailed message is coming if you are logged in to Apex and otherwise it is showing more general error message with no checksum?

  • Session State Protection Confusion!

    Hello all,
    I'm looking into SSP, and find it very confusing; there are so many ways to implement it, and I'm just not sure which I should choose.
    I basically want to stop people tampering with the URL to change the values of variables and the like. I have currently enabled SSP for every page, which seems to work fine.
    However, you can also do it for each item and application item; is this also necessary, or are these options only there if I only wanted to enable SSP for a very specific thing (item) rather than an entire page?
    Does enabling SSP at page level protect the items (application and other) on that page in the same way enabling SSP for each of those items would do?
    Also, are there any implications from using SSP? Will some things not work if I enable it in some instances?
    Thanks for your help.
    Robin

    Robin,
    These are all good questions.
    What situations would arise when you'd want to use "No URL Access" for page access protection and "Restricted - May not be set from browser" for various item protections?
    Sometimes you have pages that you would never want a user to "get to" unless they had used the navigation controls that you built into the application. For example, the intermediate steps within a wizard. You may have seen examples of this in the Application Builder as you step through wizards (and in other places) where you'll be on a page and in the URL all you see is ..wwv_flow.accept, with no f?p URL that tells you what page ID was requested. This is an example of a Branch to Page branch in use. This type of branch does not do a redirect to an f?p URL but instead has the engine's "accept" procedure (from the last page submission) call the engine's "show" procedure directly using PL/SQL without introducing a new HTTP request. So if you have pages like that and you use Branch to Page branches as the "normal" way to get to them AND you want to prevent users from specifying those page IDs in URLS, then this feature of Session State Protection is available to support that.
    and how does the "Restricted - May not..." differ from the "Checksum Required - Session Level"; is that literally where a user can't alter the value of an item in the application, or is there more to it than that?
    Restricted ... prevents an item from being altered from outside the application. The only way you can set or change these items is by application logic. This feature can be used for items even if Session State Protection is not enabled for the application.
    Also, I can't understand just what user level and application level checksums would be useful for.
    Normally, when SSP checksums are generated, they are good for the current session. Say you have a URL like:
    f?p=100:55:ssssssss::NO::P1_ITEM,P2_ITEM:some-value-1,some-value2&cs=38DDFE1C102BDE167BCD66F4C2E77E16E
    A curious user might say, oh, I think I'll bookmark that link and run it again tomorrow to set the same page items to the same values. Well that doesn't work because the checksum is session ID specific. This also makes the hashing algorithm more secure.
    But sometimes you want to provide checksum-secured links that users can bookmark. Maybe you want to email a link to your application to a specific user and the link provides some key value that should be used by that specific user only (and you have authorization logic in the application to enforce that), like f?p...P10_USER_KEY:ABc568zz&cs=238DDFE1C102BDE167BCD66F4C2E77E16D. This is where the use of a User-Level checksum would be applicable. After the user clicks on the link and authenticates, the provided checksum can be verified against a new checksum computed on P10_USER_KEY:ABc568zz. These links can be used across sessions for this type of use but the checksum prevents alteration of the request arguments even by the intended user.
    The third type of checksum is the Application-Level (or Workspace-Level) checksum. Links with this type of checksum can be used by any user so long as the requested application is really the same application from the same workspace that generated the link. The checksum prevents alteration of the request arguments by the user.
    Scott

  • Problem In Session State

    Hai, I'm Using VS2010 and SQL Server 2005.
    I have a problem in Session state;
    //View.aspx.cs
    // In this page just I store a textbox into a session variable.
    protected void btnEdit_Click(object sender, EventArgs e)
            Session["rollno"] = txtRollNo.Text;
                Response.Redirect("Edit.aspx");
    //Edit.aspx.cs
    //In this page I retrieve the session value which is stored in previous page
           protected void Page_Load(object sender, EventArgs e)
            txtRollNo.Enabled = false;
            if (!IsPostBack)
                txtRollNo.Text = Session["rollno"].ToString();
                getdata();
     public void getdata()
            SqlConnection con = new SqlConnection("Data Source=SERVICETEAM-PC;Initial Catalog=csc;User ID=sa;Password=kavi");
            con.Open();
            SqlCommand cmd = new SqlCommand("Select * from Csc where Roll_No='" + txtRollNo.Text + "'", con);
            SqlDataReader dr = cmd.ExecuteReader();
            if (dr.Read())
                txtName.Text = dr.GetString(1).ToString();
                txtAddress.Text = dr.GetString(2).ToString();
                txtMobileNo.Text = dr.GetString(3).ToString();
                txtYesNo.Text = dr.GetString(4).ToString();
    From the above code, I got an error when I press Edit button in View.aspx page.
    The Error is
    Description: An unhandled
    exception occurred during the execution of the current web
    request. Please review the stack trace for more information about the error and where it originated in the code. 
    Exception Details: System.Web.HttpException: A page can have only one server-side Form
    tag.
    Source Error: 
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack
    trace below.
    Help Me.....

    Hai,
    I'm using VS2010 and SQL Server 2005.
    I have a problem in Session state.
    See below is my code,
    //View.aspx.cs
    //Here I assign a textbox value to session
    protected void btnEdit_Click(object sender, EventArgs e)
            Session["rollno"] = txtRollNo.Text;
                Response.Redirect("Edit.aspx");
    //Edit.aspx.cs
    //Here I assign a session value to textbox, which is stored in last page.
    protected void Page_Load(object sender, EventArgs e)
            txtRollNo.Enabled = false;
            txtRollNo.Text = Session["rollno"].ToString();
            getdata();
    public void getdata()
            SqlConnection con = new SqlConnection("Data Source=SERVICETEAM-PC;Initial Catalog=csc;User ID=sa;Password=kavi");
            con.Open();
            SqlCommand cmd = new SqlCommand("Select * from Csc where Roll_No='" + txtRollNo.Text + "'", con);
            SqlDataReader dr = cmd.ExecuteReader();
            if (dr.Read())
                txtName.Text = dr.GetString(1).ToString();
                txtAddress.Text = dr.GetString(2).ToString();
                txtMobileNo.Text = dr.GetString(3).ToString();
                txtYesNo.Text = dr.GetString(4).ToString();
    From the above code If I the Edit button, It will show an error like 
           

  • Session State Protection breaks Cascading LOV.

    Hi,
    Whenever I turn Session State Protection on my application , with option 'Arguments Must Have Checksum' on the page level,
    Items defined with a cascading LOV will not work. Once session state protection is on for the page, and I change the value of a parent
    LOV, the Child Item LOV (defined with Cascading LOV) will not show any value and the 'round working icon' will just keep on going
    and does not end, The Child/Cascading LOV seems to be just hanging and not return any values. This happens consistently (APEX 4.1.1.).
    There are no threads existing for this behavior, would like to know if this is a known issue and if there is a fix.
    Thanks,
    Ramon

    The documentation says, "If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit)." In practice, what this means (among other things) is that items that are identified as "Cascading LOV Parent Item(s)" must have "Session State Protection" set to "Unrestricted".

  • How to use session state protection

    I use Apex 3.2.1
    I access my site by a url passing a parameter like this : f?p=101:1:0::::ITEM1:1234567. There is no login and password to access the site.
    The value of the parameter ITEM1 is the authorization of the first page, with a database function for the verification.
    To secure my site I want to use session state protection so, I enabled it , then I defined "Arguments Must have checksum" for the page 1.
    Now , when i try to acces my site with the same url it does not work.
    it is the first time a try to use session state protection, could someone tell me what's wrong?

    Hi user5719906,
    I would suggest that as you need to pass an item and are unable to generate a checksum as you are not yet logged in, that you will need to allow arguments without checksum for this page.
    This could be a bit of a hole in your security, but as long as you know it is there and clear the cache for all pages that you branch to, you should be able work around it.
    The issue is that a malicious user can set page and application items via the url to an unsecured page.
    Regards
    Michael

  • Session State Protection Error

    Hello All,
    I have recently made some manual changes in my data tables for my application. When I went to test my changes I received a new error I have never seen.
    Session state protection violation: This may be caused by manual alteration of protected page item 57299492617521335525. If you are unsure what caused this error, please contact the application administrator for assistance.
    Contact your application administrator.
    I have never seen this error. Can someone help?
    Thanks
    Ryan

    Did you delete some columns? Drop some tables? I think this is something related to that... if true, then you should manually go to each page and verify your tables, columns, procedure calls, etc....
    User: 901292 (did your family gave you that name? Amazing)....
    Total Posts:     45
    Total Questions:     27 (25 unresolved)
    Start closing topics and rewarding people with points.
    Edited by: Vitor Rodrigues on 13/Fev/2012 15:39

  • Report Print Attributes and Session State Protection

    Hi all,
    I have a report (old style Apex report, not an IR) that I would like to have a Print option, producing a PDF output.
    The report is on a page that takes a number of arguments and uses the page security option "Arguments require checksum".
    When I turn on the Enable Report Printing option in the report, the Print link appears at the bottom of the report. However, clicking Print leads to the following message:
    "Error      No checksum was provided to show processing for a page that requires a checksum when one or more request, clear cache, or argument values are passed as parameters."
    Disabling Session State Protection for that page makes the report link work, but I would prefer not to do that.
    How do I get the built-in report print option to generate the required checksum?
    I'm using Apex 4.0.2.00.07, by the way.
    Alex

    WORKAROUND:
    1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
    Enter the following for the ITEM
    as the SOURCE_TYPE : PL/SQL Function Body
    as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
    2.) Create BUTTON that executes javascript to open POPUP window with this url.
    a.) Create Button and enter
    &lt;a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')"&gt;Download and Save to CSV file&lt;/a&gt;as the "Text Label/Alt"
    Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
    Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

  • SSP broke my LOV :-(  - Session State Protection Issue

    Hi Folks.
    I'm tinkering with SSP on my application.
    Here's the challenge du jour.
    If I enable SSP across the entire application I can't even log in. That was resolved by setting the login page to 'Unrestricted'. not sure of the security implication of doing that but bear with me.
    My main Issue is this.
    I am using Patrick's APEXLIB for Cascading LOV functionality.
    My Parent LOV works fine.
    My Child LOV is blank.
    I have modified everything on the page to 'Unrestricted' and still I end up with a blank child LOV.
    Any ideas how to skin this cat?
    Many thanks
    Simon

    OK so here's how i 'fixed' this issue. I say fixed but I would welcome any comments regarding the security impact of the 'fix' I came up with.
    First of all I enabled SSP across the entire application
    Page Access Protection = Arguments Must have Checksum
    Application Item Protection = Checksum required - Session level
    Page Data Entry Item Protection = Checksum required - Session level
    Page Display-Only Item Protection = Checksum required - Session level
    This had the desired effect of applying these settings to everything.
    Having done that I needed to update the SSP to Patrick Wolf's Application Items in the following way...
    APEXLIB_REFERENCE_ID = Unrestricted
    APEXLIB_REFERENCE_TYPE = Unrestricted
    As a side note, I noticed that the Application Item FSP_AFTER_LOGIN_URL was also set to Unrestricted. I guess this is enforced by APEX to allow successful login to the application. All other application items were set to Checksum Required - Session Level as per the cross-application configuration I had initially done.
    Finally I had to review the pages that had the cascading LOVs that no longer functioned. For these pages I had to set the "Item Session State Protection" to Unrestricted for the poll down LOVs used in the Cascading LOV process. Parent LOVs and Child LOVs.
    The end result is that I have pretty tight SSP enabled across the entire application. The only areas where it is 'Unrestricted' are some of the cascading LOVs.
    I would be very interested to hear from anyone who would care to comment on the security weaknesses this approach may have created.
    I will update this thread if the SSP enabling has affected anything else in the application. So far though, it's only the Cascading LOVs.
    Kind regards
    Simon Gadd

Maybe you are looking for

  • BEX - Get Open Items with a key Date

    Hi Gurus, Im working with the Cube and ODS for AR Line items (0FIAR_C03- 0FIAR_O03) and i need to create a report that shows the Open items by Customer with a Key Date. I did the query that shows all the open items by customer, and i want to know whe

  • What website does iMessage use to send pictures

    Hi.  I have an iPad 2 and a Mac Mini that aren't able to send or receive pictures.  My wifi is restricted, and I need to know what website it is that apple iMessage uses to send its pictures so that I can submit it for approval. Thanks!!

  • Status reports

    Dear All, 1.     Cheque details 2.     Deposit details 3.     Receipt and payment account 4.     Reconciliation report Any one let me the relavant t-cdoe the above reports. Regards Partha

  • Cannot open EPS files in illustrator

    I am running illustrator CS6 16.0.4 on an iMac (new). I get the following error when trying to open some EPS files "can't open this illustrator file. the file was generated with a newer version of illustrator and cannot be opened. Please resave in a

  • I really need help from someone with CS5

    HELP me. I am in a begining flash class and I need to submit an assignment as CS4, one which I made it with CS5 and my trial ran out before I could save it down. I am in the procces of recieving an educational discount but my deadline is tonight and