Session State Protection - Arguments must have Checksum - Help Required

Similar Messages

• Page Access Protection -Arguments Must Have checksum question

  If we want to call popup page that is defined as "Page Access Protection -Arguments Must Have checksum", then HTMLDB_UTIL.PREPARE_URL has to be called for every used URL-OK!
  <br><br>
  This calculation is easy to perform in "OnLoad-Before region" process, where some hidden varible is assigned as:
  :P_HIDDEN_VAR_URL:= HTMLDB_UTIL.PREPARE_URL('*f?p=&APP_ID.:2:&APP_SESSION.::NO::P_PROCESS:1');<br>
  and later used in call:
  javascript:popupURL('&P_HIDDEN_VAR_URL.');<br>
  AFAIK, this approach has a limitation if popup links are placed in table grid. If in grid link is defined as:
  <*a href="*javascript:popupURL('*f?p=&APP_ID.:2:&APP_SESSION.::NO:RP,2:P_PROCESS:#ID#')">#SOME_FIELD#</a><br>
  then no "HTMLDB_UTIL.PREPARE_URL" cannot be used, because every value depend on each grid row (ID field).
  <br><br>
  So is there a solution in such a cases to call popup page that have mentioned type of page access protection?
  <br>
  THX!

  See results below for call to prepare_url in SQL*Plus. It doesn't do anything, as you can see. The function can only generate a secure checksum (to be ultimately verified later within the application context) if it has some secret knowledge that is known only within the application context. So to expect it to work outside that context may be a requirement that conflicts with security aims.
  Is your requirement to use apex_mail.send from a job? Maybe you could generate the links with user-level checksums from within the application (for every possible user/argument value combination) and save them off in a table for retrieval by the mailer program. Just a thought.
  SQL> select apex_util.prepare_url('f?p=211:2:5103232296113234:x') from dual;
  APEX_UTIL.PREPARE_URL('F?P=211:2:5103232296113234:X')
  f?p=211:2:5103232296113234:x::::
  SQL> select apex_util.prepare_url('f?p=211:2:5103232296113234:x','3') from dual;
  APEX_UTIL.PREPARE_URL('F?P=211:2:5103232296113234:X','3')
  f?p=211:2:5103232296113234:x::::
  SQL> select apex_util.prepare_url('f?p=211:2:5103232296113234:x','2') from dual;
  APEX_UTIL.PREPARE_URL('F?P=211:2:5103232296113234:X','2')
  f?p=211:2:5103232296113234:x::::
  SQL> select apex_util.prepare_url('f?p=211:2:5103232296113234:x','1') from dual;
  APEX_UTIL.PREPARE_URL('F?P=211:2:5103232296113234:X','1')
  f?p=211:2:5103232296113234:x::::
  SQL>
  Scott

• Session State Protection

  This is a spinoff of another thread in which Scott Spadafore was teaching how to effectively escape user-supplied data. This will be about Session State Protection in 2.0.
  I had asked Scott, "if I simply select the Restricted setting on this feature for every single item in my application, is that sufficient to protect me from URL tampering?"
  Scott replied: "No. First, you can't use that setting for POSTable items. Second, you need to pass item values via URL within your app, I assume, so the restricted setting is, er, too restrictive."
  OK, digging into the user guide I see that the first step is to enable session state protection. I drill down: Application -> Shared Components -> Session State Protection -> Set Protection.
  Now I click Enable and then on the next screen Enable Session State Protection. I assume I have accepted all of the default settings on the Configure page:
  Page Access Protection - Arguments Must Have Checksum
  Application Item Protection - Checksum Required - Session Level
  Page Data Entry Item Protection - Checksum Required - Session Level
  Page Display-Only Item Protection - Checksum Required - Session Level
  Is it safe to say that you will generally want Session Level Checksums? The help says, "Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session." I can't really think of why I wouldn't want this.
  Once I have clicked Enable Session State Protection, have I accomplished anything or am I just getting started?
  For a live application, I am putting my application at risk at all by doing this? Has the Session State Protection had any issues that might negatively impact my live application? If I find there are any, can I disable it and be back where I started without any complications?
  Thanks, Scott.
  Bill
  Message was edited by:
  jkestely

  Is it safe to say that you will generally want Session Level Checksums? ... I can't really think of why I wouldn't want this.Yes. The other types are for allowing users to bookmark URLs that contain checksums, either for their own use in later sessions in which they are authenticated to the same application or for use by unauthenticated users to the same application.
  Once I have clicked Enable Session State Protection, have I accomplished anything or am I just getting started?That's most of it. If your dynamic regions produce links to pages and those pages require checksums, you need to change the link-generation code to use htmldb_util.prepare_url.
  For a live application, I am putting my application at risk at all by doing this?Yes, changes to live applications result in disaster most of the time in my experience.
  Has the Session State Protection had any issues that might negatively impact my live application?There is a bug that prevents sortable report heading links from being used on pages that require checksums. The bug is fixed in 2.1, but for 2.0 you need to not use that combination.
  If I find there are any, can I disable it and be back where I started without any complications?Yes, in fact all you have to do is disable the feature at the application level, leaving page and item attributes as they are.
  Scott

• SSP broke my LOV :-(  - Session State Protection Issue

  Hi Folks.
  I'm tinkering with SSP on my application.
  Here's the challenge du jour.
  If I enable SSP across the entire application I can't even log in. That was resolved by setting the login page to 'Unrestricted'. not sure of the security implication of doing that but bear with me.
  My main Issue is this.
  I am using Patrick's APEXLIB for Cascading LOV functionality.
  My Parent LOV works fine.
  My Child LOV is blank.
  I have modified everything on the page to 'Unrestricted' and still I end up with a blank child LOV.
  Any ideas how to skin this cat?
  Many thanks
  Simon

  OK so here's how i 'fixed' this issue. I say fixed but I would welcome any comments regarding the security impact of the 'fix' I came up with.
  First of all I enabled SSP across the entire application
  Page Access Protection = Arguments Must have Checksum
  Application Item Protection = Checksum required - Session level
  Page Data Entry Item Protection = Checksum required - Session level
  Page Display-Only Item Protection = Checksum required - Session level
  This had the desired effect of applying these settings to everything.
  Having done that I needed to update the SSP to Patrick Wolf's Application Items in the following way...
  APEXLIB_REFERENCE_ID = Unrestricted
  APEXLIB_REFERENCE_TYPE = Unrestricted
  As a side note, I noticed that the Application Item FSP_AFTER_LOGIN_URL was also set to Unrestricted. I guess this is enforced by APEX to allow successful login to the application. All other application items were set to Checksum Required - Session Level as per the cross-application configuration I had initially done.
  Finally I had to review the pages that had the cascading LOVs that no longer functioned. For these pages I had to set the "Item Session State Protection" to Unrestricted for the poll down LOVs used in the Cascading LOV process. Parent LOVs and Child LOVs.
  The end result is that I have pretty tight SSP enabled across the entire application. The only areas where it is 'Unrestricted' are some of the cascading LOVs.
  I would be very interested to hear from anyone who would care to comment on the security weaknesses this approach may have created.
  I will update this thread if the SSP enabling has affected anything else in the application. So far though, it's only the Cascading LOVs.
  Kind regards
  Simon Gadd

• Session State Protection invalid Checksum errors show valid checksum

  Hi,
  I am investigating Session Sate Prtection to let me make my appications more secure.
  I have created a simple Report / Form pair that allows me to open an item for edditing.
  I have set the Application to Session State Protection 'Enabled' and and my form page to Page Access Prtection 'Arguments Must Have Checksum'.
  From my report page I click on the edit icon for a row and I get the edit page with the url:
  f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1179&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
  If I then manually manipulate this url, to change my P3_WORK_PACKAGE_ID from 1179 to 1180, to:
  f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
  I get an error of:
  Error The checksum computed on the request, clear cache, argument names, and argument values (P3_WORK_PACKAGE_ID1180 [01BE394775DB7B5A861BEA77B6637A46] ) did not match the checksum passed into the show procedure (CC0C97D3A8B114D2E40EDF158C0AECFB).
  All well and good, but it tells me what the checksum should be. I can now update the url to use the displayed checksum to make the url:
  f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=301BE394775DB7B5A861BEA77B6637A46
  the form opens for P3_WORK_PACKAGE_ID 1180.
  How do I stop the error message telling my how to bypass the checksum security?
  Thanks,
  Martin

  I am not sure but maybe this detailed message is coming if you are logged in to Apex and otherwise it is showing more general error message with no checksum?

• Session state protection disables running of pages without argument

  Hi all,
  Shared Components=>Security=>Authentication Schemes=>Application Express - Current
  I did the folowwing steps :
  Shared Components=>Security=>Session State Protection=> Set Protection button
  in the folowwing screen press Enable followed by next
  in the next screen Press the Enable Session State Protections
  in the page Shared Components>Session State Protection>Session State Protection by Page
  both page 0 and 1 are unrestricted
  stil I can't run my app
  page 1 error :
  No checksum was provided to show processing for a page that requires a checksum when one or
  more request, clear cache, or argument values are passed as parameters.
  page 0 and 1 have no items
  page 1 has one region of type list
  and uses the list found on page 0 but uses a list template override od Pull Down Menu with
  Image the same list on page 0 has a list template of DHTML Menu with Sublist
  I am at a loss the nly solutions is to put session state protection off all together
  please help
  Kr
  Martin

  No problems if you run the app directly likes so :
  http://apex.oracle.com/pls/otn/f?p=29691:1
  when you login through apex.oracle.com
  WS : martijnke
  login guest
  passw : apex_demo
  then the error occurs
  it seems that from the buikder I can't run any page that does not have any parameters
  even if I make those pages unrestricted
  Martin

• Session State Protection breaks Cascading LOV.

  Hi,
  Whenever I turn Session State Protection on my application , with option 'Arguments Must Have Checksum' on the page level,
  Items defined with a cascading LOV will not work. Once session state protection is on for the page, and I change the value of a parent
  LOV, the Child Item LOV (defined with Cascading LOV) will not show any value and the 'round working icon' will just keep on going
  and does not end, The Child/Cascading LOV seems to be just hanging and not return any values. This happens consistently (APEX 4.1.1.).
  There are no threads existing for this behavior, would like to know if this is a known issue and if there is a fix.
  Thanks,
  Ramon

  The documentation says, "If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit)." In practice, what this means (among other things) is that items that are identified as "Cascading LOV Parent Item(s)" must have "Session State Protection" set to "Unrestricted".

• How to use session state protection

  I use Apex 3.2.1
  I access my site by a url passing a parameter like this : f?p=101:1:0::::ITEM1:1234567. There is no login and password to access the site.
  The value of the parameter ITEM1 is the authorization of the first page, with a database function for the verification.
  To secure my site I want to use session state protection so, I enabled it , then I defined "Arguments Must have checksum" for the page 1.
  Now , when i try to acces my site with the same url it does not work.
  it is the first time a try to use session state protection, could someone tell me what's wrong?

  Hi user5719906,
  I would suggest that as you need to pass an item and are unable to generate a checksum as you are not yet logged in, that you will need to allow arguments without checksum for this page.
  This could be a bit of a hole in your security, but as long as you know it is there and clear the cache for all pages that you branch to, you should be able work around it.
  The issue is that a malicious user can set page and application items via the url to an unsecured page.
  Regards
  Michael

• Session State Protection Confusion!

  Hello all,
  I'm looking into SSP, and find it very confusing; there are so many ways to implement it, and I'm just not sure which I should choose.
  I basically want to stop people tampering with the URL to change the values of variables and the like. I have currently enabled SSP for every page, which seems to work fine.
  However, you can also do it for each item and application item; is this also necessary, or are these options only there if I only wanted to enable SSP for a very specific thing (item) rather than an entire page?
  Does enabling SSP at page level protect the items (application and other) on that page in the same way enabling SSP for each of those items would do?
  Also, are there any implications from using SSP? Will some things not work if I enable it in some instances?
  Thanks for your help.
  Robin

  Robin,
  These are all good questions.
  What situations would arise when you'd want to use "No URL Access" for page access protection and "Restricted - May not be set from browser" for various item protections?
  Sometimes you have pages that you would never want a user to "get to" unless they had used the navigation controls that you built into the application. For example, the intermediate steps within a wizard. You may have seen examples of this in the Application Builder as you step through wizards (and in other places) where you'll be on a page and in the URL all you see is ..wwv_flow.accept, with no f?p URL that tells you what page ID was requested. This is an example of a Branch to Page branch in use. This type of branch does not do a redirect to an f?p URL but instead has the engine's "accept" procedure (from the last page submission) call the engine's "show" procedure directly using PL/SQL without introducing a new HTTP request. So if you have pages like that and you use Branch to Page branches as the "normal" way to get to them AND you want to prevent users from specifying those page IDs in URLS, then this feature of Session State Protection is available to support that.
  and how does the "Restricted - May not..." differ from the "Checksum Required - Session Level"; is that literally where a user can't alter the value of an item in the application, or is there more to it than that?
  Restricted ... prevents an item from being altered from outside the application. The only way you can set or change these items is by application logic. This feature can be used for items even if Session State Protection is not enabled for the application.
  Also, I can't understand just what user level and application level checksums would be useful for.
  Normally, when SSP checksums are generated, they are good for the current session. Say you have a URL like:
  f?p=100:55:ssssssss::NO::P1_ITEM,P2_ITEM:some-value-1,some-value2&cs=38DDFE1C102BDE167BCD66F4C2E77E16E
  A curious user might say, oh, I think I'll bookmark that link and run it again tomorrow to set the same page items to the same values. Well that doesn't work because the checksum is session ID specific. This also makes the hashing algorithm more secure.
  But sometimes you want to provide checksum-secured links that users can bookmark. Maybe you want to email a link to your application to a specific user and the link provides some key value that should be used by that specific user only (and you have authorization logic in the application to enforce that), like f?p...P10_USER_KEY:ABc568zz&cs=238DDFE1C102BDE167BCD66F4C2E77E16D. This is where the use of a User-Level checksum would be applicable. After the user clicks on the link and authenticates, the provided checksum can be verified against a new checksum computed on P10_USER_KEY:ABc568zz. These links can be used across sessions for this type of use but the checksum prevents alteration of the request arguments even by the intended user.
  The third type of checksum is the Application-Level (or Workspace-Level) checksum. Links with this type of checksum can be used by any user so long as the requested application is really the same application from the same workspace that generated the link. The checksum prevents alteration of the request arguments by the user.
  Scott

• Interactive Report Download and Session State Protection

  I have created an Interactive Report in an APEX application that I have enabled
  session state protection for. The issue I am having is with the "Download"
  functionality of the interactive report to a .csv file.
  The URL created by selecting Download from the drop down (javascript:gReport.controls.download();)
  is built or constructed without a checksum thus causing the error below.
  Error
  No checksum was provided to show processing for a page that
  requires a checksum when one or more request, clear cache, or argument
  values are passed as parameters.
  The anchor tag containing the URL (/f?p=app_id:page:session_id:CSV:) is contained within
  &lt;div id="apexir_CONTROL_PANEL_DROP" class="drop_panel
  clearfix" style=""&gt;
  Running the following: Application Express 3.1.0.00.32 on Oracle Database 10g Enterprise Edition Release 10.2.0.3.0
  Is there a way to add a checksum to this? OR does anyone have any ideas on how to work around this?
  Edited by: Bryce Tuohy on Feb 26, 2009 10:08 AM

  WORKAROUND:
  1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
  Enter the following for the ITEM
  as the SOURCE_TYPE : PL/SQL Function Body
  as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
  2.) Create BUTTON that executes javascript to open POPUP window with this url.
  a.) Create Button and enter
  &lt;a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')"&gt;Download and Save to CSV file&lt;/a&gt;as the "Text Label/Alt"
  Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
  Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

• Session state protection violation

  I turned on the session state protection on my application, the setting for Application Item, Page Data Entry Item and page display-only item are "checksum-required, application level". I want the URL to be shared by user in different sessions (for example bookmark). when I open two browsers (IE, Firefox) and login as same user, I copied/pasted url from one browser to another and received "Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum."
  Did I misunderstand the intent usage of this feature? I also noticed that checksum generated by the system remains the same no matter what checksum level I set (application, user, session).
  I am running APEX 3.1.0.00.32.

  Cheng-Lu,
  I didn't forget you, this was a very difficult problem to debug.
  I think I have a workaround for you. I added a page process to your login page named "fix deep link item". This restores the value of FSP_AFTER_LOGIN_URL that gets passed to this login page and is supposed to be immediately saved in session state. Due to a bug, this value was getting truncated to "f" before it could be saved. The new page process looks at the current URL and uses the value there which is still intact and saves that value in session state. I tested it with your applications. Please let me know if this works. We'll make a proper fix in the 3.2 release.
  So this was not a problem with session state protection but in the "f" procedure which parses argument names/argument values in f?p URLs. This gets tripped up when an argument value contains a pattern like &cs= which is first treated as an argument to the orignal "f" call and therefore is never seen as an argument value in the list of arguments.
  I have some other observations about your applications. I see that they have code in the page sentry function attribute of the authentication scheme. The code you have in there is completely unnecessary and could actually make the application less secure. You should leave this attribute empty and let the default (built-in) page sentry do all the work.
  Scott

• Session State Protection Violation error

  I am developing my first Apex application. I have this page which has been running fine until I made some changes. The error I get is the following:
  -----Error message:
  Session state protection violation. This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
  --End of error message.
  This happens Whenever the page is submitted for process, e.g. when I select from a "LOV with Submit" item or when I click the "Save Changes" button. It is fine if the button redirects to another page. Using Debug, I saw that the error occurs right after "Fetch page attributes" and before "Fetch session state from database".
  About the changes I made before this error first surfaced: nothing to do with session state protection and nothing I can think of that is related to session state protection. In fact, I did not specify any session state protection at any level at this stage. That is, all pages and items are unrestricted. I did add a javascript to the page which is invoked onChange of an item to update another item. I made the same changes (except for the Javascript) to another similar page which is still running fine.
  I tried logging out of Apex (I am using OracleXE) and getting back on, the error still persists. I even shut down and restart the Apex database to no avail.
  Can anyone point me to where it might be the cause of this problem? Thank your help and/or suggestions in advance.
  Message was edited by:
  muighi

  Scott - I should have posted this question sooner! I wasted a whole day trying to figure this out. Thanks a lot, Scott. By the way, where can I find any documented known bugs in Apex?
  --Candy                                                                                                                                                                                                                                                                                                                                                                                                               

• Report Print Attributes and Session State Protection

  Hi all,
  I have a report (old style Apex report, not an IR) that I would like to have a Print option, producing a PDF output.
  The report is on a page that takes a number of arguments and uses the page security option "Arguments require checksum".
  When I turn on the Enable Report Printing option in the report, the Print link appears at the bottom of the report. However, clicking Print leads to the following message:
  "Error      No checksum was provided to show processing for a page that requires a checksum when one or more request, clear cache, or argument values are passed as parameters."
  Disabling Session State Protection for that page makes the report link work, but I would prefer not to do that.
  How do I get the built-in report print option to generate the required checksum?
  I'm using Apex 4.0.2.00.07, by the way.
  Alex

  WORKAROUND:
  1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
  Enter the following for the ITEM
  as the SOURCE_TYPE : PL/SQL Function Body
  as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
  2.) Create BUTTON that executes javascript to open POPUP window with this url.
  a.) Create Button and enter
  &lt;a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')"&gt;Download and Save to CSV file&lt;/a&gt;as the "Text Label/Alt"
  Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
  Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

• Session State Protection Error

  Hello All,
  I have recently made some manual changes in my data tables for my application. When I went to test my changes I received a new error I have never seen.
  Session state protection violation: This may be caused by manual alteration of protected page item 57299492617521335525. If you are unsure what caused this error, please contact the application administrator for assistance.
  Contact your application administrator.
  I have never seen this error. Can someone help?
  Thanks
  Ryan

  Did you delete some columns? Drop some tables? I think this is something related to that... if true, then you should manually go to each page and verify your tables, columns, procedure calls, etc....
  User: 901292 (did your family gave you that name? Amazing)....
  Total Posts:     45
  Total Questions:     27 (25 unresolved)
  Start closing topics and rewarding people with points.
  Edited by: Vitor Rodrigues on 13/Fev/2012 15:39

• Session state protection and read-only items

  I have a requirement to create a report + form for a database table. In the form, there is mandatory database column that needs to be displayed but it should be read-only and its value derived using values entered elsewhere on the screen.
  It tried Display Only, Read Only and Disabled but they either fall foul of session state protection violation or ORA-01400: cannot insert NULL. The best method that I've found was to add readonly="readonly" the item element, but this causes the input item to lose its APEX classes and I'd prefer a declarative solution anyway.
  Anyone know the best approach?
  I've created a DEMO - http://apex.oracle.com/pls/apex/f?p=READONLY - which demonstrates the 4 methods.
  Edited by: KGelling on 17-May-2012 06:10

  KGelling wrote:
  The best method that I've found was to add readonly="readonly" the item element, but this causes the input item to lose its APEX classes and I'd prefer a declarative solution anyway.Looks like a bug to me. However a possible explanation/justification for this behaviour is that the HTML Form Element Attributes are often used to specify a custom class for the item, so the default class is removed to prevent any conflicts. IMO APEX needs to provide declarative support for the use of multiple, space-separated class values in page, region, item etc attributes.
  As a workaround in this case, just include the class in the HTML Form Element Attributes:
  class="number_field" readonly="readonly"
  I've created a DEMO - http://apex.oracle.com/pls/apex/f?p=READONLY - which demonstrates the 4 methods.
  Thanks for making the effort.