Session State Protection invalid Checksum errors show valid checksum

Hi,
I am investigating Session Sate Prtection to let me make my appications more secure.
I have created a simple Report / Form pair that allows me to open an item for edditing.
I have set the Application to Session State Protection 'Enabled' and and my form page to Page Access Prtection 'Arguments Must Have Checksum'.
From my report page I click on the edit icon for a row and I get the edit page with the url:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1179&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
If I then manually manipulate this url, to change my P3_WORK_PACKAGE_ID from 1179 to 1180, to:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=3CC0C97D3A8B114D2E40EDF158C0AECFB
I get an error of:
Error The checksum computed on the request, clear cache, argument names, and argument values (P3_WORK_PACKAGE_ID1180 [01BE394775DB7B5A861BEA77B6637A46] ) did not match the checksum passed into the show procedure (CC0C97D3A8B114D2E40EDF158C0AECFB).
All well and good, but it tells me what the checksum should be. I can now update the url to use the displayed checksum to make the url:
f?p=126:3:7115846938209895::::P3_WORK_PACKAGE_ID:1180&cs=301BE394775DB7B5A861BEA77B6637A46
the form opens for P3_WORK_PACKAGE_ID 1180.
How do I stop the error message telling my how to bypass the checksum security?
Thanks,
Martin

I am not sure but maybe this detailed message is coming if you are logged in to Apex and otherwise it is showing more general error message with no checksum?

Similar Messages

Session State Protection - Arguments must have Checksum - Help Required

Hi everyone,
I am using apex 4.0 and have set:
Session State Protection = True
Page Access Protection = Arguments must have checksum
Application Item Protection = Cecksum required - Session Level
Page Data Entry Item Protection = Cecksum required - Session Level
Page Display-Only Item Protection = Cecksum required - Session Level
On pages which contain a Interactive report the calls to other pages to update and or delete a record passing the PK of the record work OK.
I have set these as follows:
In the Interactive report LInk Colomn --> Link Attribute = onclick="new top.Ext.apex.PopupWindow( { url: this.href, title: 'Edit Classification Details', width: 530, height: 500, listeners: {'success': gReport.search} } ).show(); return false;"
Target = Page in this Application
Page = 302Item = P302_IDCLASS
Value = #IDCLASS#
Page Checksum = - User Default -
The problem is on the "Create new record" button which is located on the Interactive report page. I have defined the button as:
Button Attributes = onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:302::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
Action when button click = Redirect to Page in this Application
Page = 302
Clear Cache = 302
When I click the button I get the following message:
Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
If I change the Button attributes to be:
onclick="new top.Ext.apex.PopupWindow({ url:'f?p=&APP_ID.:302:&APP_SESSION.::NO:::::', title: 'Create New Classification', width: 530, height: 500, listeners: {'success': gReport.search} }).show(); return false;"
It works OK, bu the page items are not clear.
Could someone please explaing to me what am I doing wrong so I understand my mistake ?
Thank you
Daniel

Here's an interesting situation. I have been having great results with the prepare_url function, until I needed to pass a column value from a report into a popup.
Originally, in the Column Link --> URL in the Report Attributes I had this. This worked great when there was no session state protection enabled.
javascript:popUp('f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#','450','375');When I enabled session state protection and changed the URL link to this
javascript:popUp('&VW_EVENT_LOG.','450','375');and then created an application item and computation in order to pass a checksum along
APEX_UTIL.PREPARE_URL (
p_url => 'f?p=&APP_ID.:17:&SESSION.::&DEBUG.:17:P17_EVENT_LOG_ID:#EVENT_LOG_ID#',
p_checksum_type => 3
);the checksum seems to get passed fine, but the column value for the EVENT_LOG_ID is being concatenated to the end of the checksum instead of being passed as the value for P17_EVENT_LOG_ID. I also noticed that the clear cache page (17) looks like it is also being attached to the beginning of P17_.., but I'm not sure if that's to be expected or not.
It took me a while to figure it out, but when I started looking at the error message closely, I could see that the checksum is identical except for the last two digits, which coincidentally are the same as the ID for this record.
The checksum computed on the request, clear cache, argument names,
and argument values (17P17_EVENT_LOG_ID [C6161B29B4C078F68DCF430133407754] ) did not match the checksum
passed into the show procedure (C6161B29B4C078F68DCF43013340775490). Any thoughts on how to pass a column value with a checksum to a popup window?
Thanks,
Joe

Session State Protection Violation error

I am developing my first Apex application. I have this page which has been running fine until I made some changes. The error I get is the following:
-----Error message:
Session state protection violation. This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum. If you are unsure what caused this error, please contact the application administrator for assistance.
--End of error message.
This happens Whenever the page is submitted for process, e.g. when I select from a "LOV with Submit" item or when I click the "Save Changes" button. It is fine if the button redirects to another page. Using Debug, I saw that the error occurs right after "Fetch page attributes" and before "Fetch session state from database".
About the changes I made before this error first surfaced: nothing to do with session state protection and nothing I can think of that is related to session state protection. In fact, I did not specify any session state protection at any level at this stage. That is, all pages and items are unrestricted. I did add a javascript to the page which is invoked onChange of an item to update another item. I made the same changes (except for the Javascript) to another similar page which is still running fine.
I tried logging out of Apex (I am using OracleXE) and getting back on, the error still persists. I even shut down and restart the Apex database to no avail.
Can anyone point me to where it might be the cause of this problem? Thank your help and/or suggestions in advance.
Message was edited by:
muighi

Scott - I should have posted this question sooner! I wasted a whole day trying to figure this out. Thanks a lot, Scott. By the way, where can I find any documented known bugs in Apex?
--Candy

Problem since upgrade to 2.0 "Error: Session state protection violation"

I've upgraded to 2.0. Everything fine except one particular page when I submit it I get "Error: Session state protection violation". I have read up about session state protection, and it is turned off in my application. There are no items, pages or URLs that have any session state protection. There is nothing particularly different about this screen when compared to other screens that work. What can be causing this?
Steve

Steve - Thanks for putting that test case out there. This is an odd bug. It happens when you apply the read-only attribute to a "Display as Text (does not save state)" item. Normally, these items are not HTML input items on the page (you see only the value rendered). However, because of a bug, applying the read-only attribute causes an INPUT item to be created. This leads to the problem that you saw -- when an item that should never be POSTed because it is: a) an application item, b) a page item that has the Session State Protection attribute "Restricted - May not be set from browser", or c) a page item of display type "Display as Text (does not save state)", is POSTed, the Session State Protection violation is detected and reported. These checks are performed whether the Session State Protection feature is enabled for the application or not. The reason for that is that checking for cases(a) and (c) is always legitimate and checking for case (b) is always necessary because the Restricted attribute for page items of qualifying display types is always in effect.
So the workaround in your case is not to use the read-only attribute for the display-only items. They are read-only anyway.
Thanks again for pointing this out.
Scott

Session State Protection Error

Hello All,
I have recently made some manual changes in my data tables for my application. When I went to test my changes I received a new error I have never seen.
Session state protection violation: This may be caused by manual alteration of protected page item 57299492617521335525. If you are unsure what caused this error, please contact the application administrator for assistance.
Contact your application administrator.
I have never seen this error. Can someone help?
Thanks
Ryan

Did you delete some columns? Drop some tables? I think this is something related to that... if true, then you should manually go to each page and verify your tables, columns, procedure calls, etc....
User: 901292 (did your family gave you that name? Amazing)....
Total Posts: 45
Total Questions: 27 (25 unresolved)
Start closing topics and rewarding people with points.
Edited by: Vitor Rodrigues on 13/Fev/2012 15:39

Session state protection violation: This may be caused by manual alteration of protected page item P300_name. If you are unsure what caused this error, please contact the application administrator for assistance.

HI ,
the application item is working fine previously. i did not change anything. it is giving error message on p300_name when i submit page
p300_name is text filed.
html form element attributes: disabled="disabled"
source used: always replace any existing value
source type :database columm
: per session
source value: name
default_value: g_name (global variable)
read only: always
read only attributes: name
Please help me to fix this error.
Thanks,

Check the Security attributes of the item, namely 'session state protection'
Similar attributes at page level

Interactive Report Download and Session State Protection

I have created an Interactive Report in an APEX application that I have enabled
session state protection for. The issue I am having is with the "Download"
functionality of the interactive report to a .csv file.
The URL created by selecting Download from the drop down (javascript:gReport.controls.download();)
is built or constructed without a checksum thus causing the error below.
Error
No checksum was provided to show processing for a page that
requires a checksum when one or more request, clear cache, or argument
values are passed as parameters.
The anchor tag containing the URL (/f?p=app_id:page:session_id:CSV:) is contained within
<div id="apexir_CONTROL_PANEL_DROP" class="drop_panel
clearfix" style="">
Running the following: Application Express 3.1.0.00.32 on Oracle Database 10g Enterprise Edition Release 10.2.0.3.0
Is there a way to add a checksum to this? OR does anyone have any ideas on how to work around this?
Edited by: Bryce Tuohy on Feb 26, 2009 10:08 AM

WORKAROUND:
1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
Enter the following for the ITEM
as the SOURCE_TYPE : PL/SQL Function Body
as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
2.) Create BUTTON that executes javascript to open POPUP window with this url.
a.) Create Button and enter
<a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')">Download and Save to CSV file</a>as the "Text Label/Alt"
Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

Session state protection disables running of pages without argument

Hi all,
Shared Components=>Security=>Authentication Schemes=>Application Express - Current
I did the folowwing steps :
Shared Components=>Security=>Session State Protection=> Set Protection button
in the folowwing screen press Enable followed by next
in the next screen Press the Enable Session State Protections
in the page Shared Components>Session State Protection>Session State Protection by Page
both page 0 and 1 are unrestricted
stil I can't run my app
page 1 error :
No checksum was provided to show processing for a page that requires a checksum when one or
more request, clear cache, or argument values are passed as parameters.
page 0 and 1 have no items
page 1 has one region of type list
and uses the list found on page 0 but uses a list template override od Pull Down Menu with
Image the same list on page 0 has a list template of DHTML Menu with Sublist
I am at a loss the nly solutions is to put session state protection off all together
please help
Kr
Martin

No problems if you run the app directly likes so :
http://apex.oracle.com/pls/otn/f?p=29691:1
when you login through apex.oracle.com
WS : martijnke
login guest
passw : apex_demo
then the error occurs
it seems that from the buikder I can't run any page that does not have any parameters
even if I make those pages unrestricted
Martin

Report Print Attributes and Session State Protection

Hi all,
I have a report (old style Apex report, not an IR) that I would like to have a Print option, producing a PDF output.
The report is on a page that takes a number of arguments and uses the page security option "Arguments require checksum".
When I turn on the Enable Report Printing option in the report, the Print link appears at the bottom of the report. However, clicking Print leads to the following message:
"Error No checksum was provided to show processing for a page that requires a checksum when one or more request, clear cache, or argument values are passed as parameters."
Disabling Session State Protection for that page makes the report link work, but I would prefer not to do that.
How do I get the built-in report print option to generate the required checksum?
I'm using Apex 4.0.2.00.07, by the way.
Alex

WORKAROUND:
1.) Create hidden ITEM on page (I named it P23_PREPARED_CSV_DOWNLOAD_URL).
Enter the following for the ITEM
as the SOURCE_TYPE : PL/SQL Function Body
as the SOURCE: return apex_util.prepare_url('f?p=&APP_ID.:&APP_PAGE_ID.:&APP_SESSION.:CSV:')
2.) Create BUTTON that executes javascript to open POPUP window with this url.
a.) Create Button and enter
<a href="javascript:popupURL('&P23_PREPARED_CSV_DOWNLOAD_URL.')">Download and Save to CSV file</a>as the "Text Label/Alt"
Originally had custom code for javascript POPUP and this is not needed .... just use the APEX javascript function.
Edited by: Bryce Tuohy on Mar 5, 2009 10:47 AM

Session State Protection Confusion!

Hello all,
I'm looking into SSP, and find it very confusing; there are so many ways to implement it, and I'm just not sure which I should choose.
I basically want to stop people tampering with the URL to change the values of variables and the like. I have currently enabled SSP for every page, which seems to work fine.
However, you can also do it for each item and application item; is this also necessary, or are these options only there if I only wanted to enable SSP for a very specific thing (item) rather than an entire page?
Does enabling SSP at page level protect the items (application and other) on that page in the same way enabling SSP for each of those items would do?
Also, are there any implications from using SSP? Will some things not work if I enable it in some instances?
Thanks for your help.
Robin

Robin,
These are all good questions.
What situations would arise when you'd want to use "No URL Access" for page access protection and "Restricted - May not be set from browser" for various item protections?
Sometimes you have pages that you would never want a user to "get to" unless they had used the navigation controls that you built into the application. For example, the intermediate steps within a wizard. You may have seen examples of this in the Application Builder as you step through wizards (and in other places) where you'll be on a page and in the URL all you see is ..wwv_flow.accept, with no f?p URL that tells you what page ID was requested. This is an example of a Branch to Page branch in use. This type of branch does not do a redirect to an f?p URL but instead has the engine's "accept" procedure (from the last page submission) call the engine's "show" procedure directly using PL/SQL without introducing a new HTTP request. So if you have pages like that and you use Branch to Page branches as the "normal" way to get to them AND you want to prevent users from specifying those page IDs in URLS, then this feature of Session State Protection is available to support that.
and how does the "Restricted - May not..." differ from the "Checksum Required - Session Level"; is that literally where a user can't alter the value of an item in the application, or is there more to it than that?
Restricted ... prevents an item from being altered from outside the application. The only way you can set or change these items is by application logic. This feature can be used for items even if Session State Protection is not enabled for the application.
Also, I can't understand just what user level and application level checksums would be useful for.
Normally, when SSP checksums are generated, they are good for the current session. Say you have a URL like:
f?p=100:55:ssssssss::NO::P1_ITEM,P2_ITEM:some-value-1,some-value2&cs=38DDFE1C102BDE167BCD66F4C2E77E16E
A curious user might say, oh, I think I'll bookmark that link and run it again tomorrow to set the same page items to the same values. Well that doesn't work because the checksum is session ID specific. This also makes the hashing algorithm more secure.
But sometimes you want to provide checksum-secured links that users can bookmark. Maybe you want to email a link to your application to a specific user and the link provides some key value that should be used by that specific user only (and you have authorization logic in the application to enforce that), like f?p...P10_USER_KEY:ABc568zz&cs=238DDFE1C102BDE167BCD66F4C2E77E16D. This is where the use of a User-Level checksum would be applicable. After the user clicks on the link and authenticates, the provided checksum can be verified against a new checksum computed on P10_USER_KEY:ABc568zz. These links can be used across sessions for this type of use but the checksum prevents alteration of the request arguments even by the intended user.
The third type of checksum is the Application-Level (or Workspace-Level) checksum. Links with this type of checksum can be used by any user so long as the requested application is really the same application from the same workspace that generated the link. The checksum prevents alteration of the request arguments by the user.
Scott

Session State Protection breaks Cascading LOV.

Hi,
Whenever I turn Session State Protection on my application , with option 'Arguments Must Have Checksum' on the page level,
Items defined with a cascading LOV will not work. Once session state protection is on for the page, and I change the value of a parent
LOV, the Child Item LOV (defined with Cascading LOV) will not show any value and the 'round working icon' will just keep on going
and does not end, The Child/Cascading LOV seems to be just hanging and not return any values. This happens consistently (APEX 4.1.1.).
There are no threads existing for this behavior, would like to know if this is a known issue and if there is a fix.
Thanks,
Ramon

The documentation says, "If you need to set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit)." In practice, what this means (among other things) is that items that are identified as "Cascading LOV Parent Item(s)" must have "Session State Protection" set to "Unrestricted".

Session state protection violation

I turned on the session state protection on my application, the setting for Application Item, Page Data Entry Item and page display-only item are "checksum-required, application level". I want the URL to be shared by user in different sessions (for example bookmark). when I open two browsers (IE, Firefox) and login as same user, I copied/pasted url from one browser to another and received "Session state protection violation: This may be caused by manual alteration of a URL containing a checksum or by using a link with an incorrect or missing checksum."
Did I misunderstand the intent usage of this feature? I also noticed that checksum generated by the system remains the same no matter what checksum level I set (application, user, session).
I am running APEX 3.1.0.00.32.

Cheng-Lu,
I didn't forget you, this was a very difficult problem to debug.
I think I have a workaround for you. I added a page process to your login page named "fix deep link item". This restores the value of FSP_AFTER_LOGIN_URL that gets passed to this login page and is supposed to be immediately saved in session state. Due to a bug, this value was getting truncated to "f" before it could be saved. The new page process looks at the current URL and uses the value there which is still intact and saves that value in session state. I tested it with your applications. Please let me know if this works. We'll make a proper fix in the 3.2 release.
So this was not a problem with session state protection but in the "f" procedure which parses argument names/argument values in f?p URLs. This gets tripped up when an argument value contains a pattern like &cs= which is first treated as an argument to the orignal "f" call and therefore is never seen as an argument value in the list of arguments.
I have some other observations about your applications. I see that they have code in the page sentry function attribute of the authentication scheme. The code you have in there is completely unnecessary and could actually make the application less secure. You should leave this attribute empty and let the default (built-in) page sentry do all the work.
Scott

How to use session state protection

I use Apex 3.2.1
I access my site by a url passing a parameter like this : f?p=101:1:0::::ITEM1:1234567. There is no login and password to access the site.
The value of the parameter ITEM1 is the authorization of the first page, with a database function for the verification.
To secure my site I want to use session state protection so, I enabled it , then I defined "Arguments Must have checksum" for the page 1.
Now , when i try to acces my site with the same url it does not work.
it is the first time a try to use session state protection, could someone tell me what's wrong?

Hi user5719906,
I would suggest that as you need to pass an item and are unable to generate a checksum as you are not yet logged in, that you will need to allow arguments without checksum for this page.
This could be a bit of a hole in your security, but as long as you know it is there and clear the cache for all pages that you branch to, you should be able work around it.
The issue is that a malicious user can set page and application items via the url to an unsecured page.
Regards
Michael

Session State Protection

This is a spinoff of another thread in which Scott Spadafore was teaching how to effectively escape user-supplied data. This will be about Session State Protection in 2.0.
I had asked Scott, "if I simply select the Restricted setting on this feature for every single item in my application, is that sufficient to protect me from URL tampering?"
Scott replied: "No. First, you can't use that setting for POSTable items. Second, you need to pass item values via URL within your app, I assume, so the restricted setting is, er, too restrictive."
OK, digging into the user guide I see that the first step is to enable session state protection. I drill down: Application -> Shared Components -> Session State Protection -> Set Protection.
Now I click Enable and then on the next screen Enable Session State Protection. I assume I have accepted all of the default settings on the Configure page:
Page Access Protection - Arguments Must Have Checksum
Application Item Protection - Checksum Required - Session Level
Page Data Entry Item Protection - Checksum Required - Session Level
Page Display-Only Item Protection - Checksum Required - Session Level
Is it safe to say that you will generally want Session Level Checksums? The help says, "Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session." I can't really think of why I wouldn't want this.
Once I have clicked Enable Session State Protection, have I accomplished anything or am I just getting started?
For a live application, I am putting my application at risk at all by doing this? Has the Session State Protection had any issues that might negatively impact my live application? If I find there are any, can I disable it and be back where I started without any complications?
Thanks, Scott.
Bill
Message was edited by:
jkestely

Is it safe to say that you will generally want Session Level Checksums? ... I can't really think of why I wouldn't want this.Yes. The other types are for allowing users to bookmark URLs that contain checksums, either for their own use in later sessions in which they are authenticated to the same application or for use by unauthenticated users to the same application.
Once I have clicked Enable Session State Protection, have I accomplished anything or am I just getting started?That's most of it. If your dynamic regions produce links to pages and those pages require checksums, you need to change the link-generation code to use htmldb_util.prepare_url.
For a live application, I am putting my application at risk at all by doing this?Yes, changes to live applications result in disaster most of the time in my experience.
Has the Session State Protection had any issues that might negatively impact my live application?There is a bug that prevents sortable report heading links from being used on pages that require checksums. The bug is fixed in 2.1, but for 2.0 you need to not use that combination.
If I find there are any, can I disable it and be back where I started without any complications?Yes, in fact all you have to do is disable the feature at the application level, leaving page and item attributes as they are.
Scott

SSP broke my LOV :-( - Session State Protection Issue

Hi Folks.
I'm tinkering with SSP on my application.
Here's the challenge du jour.
If I enable SSP across the entire application I can't even log in. That was resolved by setting the login page to 'Unrestricted'. not sure of the security implication of doing that but bear with me.
My main Issue is this.
I am using Patrick's APEXLIB for Cascading LOV functionality.
My Parent LOV works fine.
My Child LOV is blank.
I have modified everything on the page to 'Unrestricted' and still I end up with a blank child LOV.
Any ideas how to skin this cat?
Many thanks
Simon

OK so here's how i 'fixed' this issue. I say fixed but I would welcome any comments regarding the security impact of the 'fix' I came up with.
First of all I enabled SSP across the entire application
Page Access Protection = Arguments Must have Checksum
Application Item Protection = Checksum required - Session level
Page Data Entry Item Protection = Checksum required - Session level
Page Display-Only Item Protection = Checksum required - Session level
This had the desired effect of applying these settings to everything.
Having done that I needed to update the SSP to Patrick Wolf's Application Items in the following way...
APEXLIB_REFERENCE_ID = Unrestricted
APEXLIB_REFERENCE_TYPE = Unrestricted
As a side note, I noticed that the Application Item FSP_AFTER_LOGIN_URL was also set to Unrestricted. I guess this is enforced by APEX to allow successful login to the application. All other application items were set to Checksum Required - Session Level as per the cross-application configuration I had initially done.
Finally I had to review the pages that had the cascading LOVs that no longer functioned. For these pages I had to set the "Item Session State Protection" to Unrestricted for the poll down LOVs used in the Cascading LOV process. Parent LOVs and Child LOVs.
The end result is that I have pretty tight SSP enabled across the entire application. The only areas where it is 'Unrestricted' are some of the cascading LOVs.
I would be very interested to hear from anyone who would care to comment on the security weaknesses this approach may have created.
I will update this thread if the SSP enabling has affected anything else in the application. So far though, it's only the Cascading LOVs.
Kind regards
Simon Gadd

Session State Protection invalid Checksum errors show valid checksum

Similar Messages

Maybe you are looking for