Home > Managing Application Security > Understanding Developer Sec... > Understanding Session State...
Previous |
Next |
Session State Protection is a built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.
Enabling Session State Protection is a two-step process. First, you enable the feature. Second, you set page and item security attributes.
Topics:
When enabled, Session State Protection uses the Page Access Protection attributes and the Session State Protection item attributes with checksums positioned in f?p=
URLs to prevent URL tampering and unauthorized access to and alteration of session state. When Session State Protection is disabled, the page and item attributes related to session state protection are ignored and checksums are not included checksums in generated f?p=
URLs.
You can enable session state protection from either the Edit Security Attributes page or the Session State Protection page.
Enabling Session State Protection is a two-step process. First, you enable the feature. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.
Topics:
Enabling Session State Protection from Edit Security Attributes
Enabling Session State Protection from Session State Protection
To enable Session State Protection from the Edit Security Attributes page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click the Shared Components icon.
Under Security, click Edit Security Attributes.
Scroll down to Session State Protection and select Enabled from the Session State Protection list.
To configure session Session State Protection, click Manage Session State Protection.
The Session State Projection page appears.
Navigate to the Edit Security Attributes page to set page and item security attributes.
Tip: To disable Session State Protection, perform the same steps again, but select Disabled instead of Enabled. Disabling Session State Protection will not change existing security attribute settings, but those attributes will be ignored at run time. |
Enabling Session State Protection affects whether bookmarked links to the current application will work. Consider the following rules:
Bookmarked links created after Session State Protection is enabled will work if the bookmarked link contains a checksum.
Bookmarked links created before Session State Protection is enabled will not work if the bookmarked link contains a checksum.
Bookmarks that do not contain checksums or contain unnecessary checksums will not be affected by Session State Protection.
During page rendering, the Application Express engine uses a hidden application attribute (a checksum salt) during computation and to verify checksums included in f?p
URLs. When you enable Session State Protection, the Application Express engine includes checksums. You can reset the checksum salt attribute by clicking Expire Bookmarks on the Edit Security Attributes page. Note that if you click Expire Bookmarks, bookmarked URLs used to access your application that contain previously generated checksums will fail.
To enable Session State Protection:
Navigate to the Shared Components page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, select Session State Protection.
The Session State Protection page appears. Note the current Session State Protection status (Enabled or Disabled) displays at the top of the page.
Click the Set Protection button.
The Session State Protection wizard appears.
Under Select Action, select Enable and click Next.
Next, determine whether to set security attributes for pages and items.
Select Enable and click Next.
Click Enable Session State Protection.
Tip: To disable Session State Protection, perform the same steps, but select Disable instead of Enable. Disabling Session State Protection will not change existing security attribute settings, but those attributes will be ignored at run time. |
Once you have enabled Session State Protection, the next step is to configure security attributes. You can configure security attributes in two ways:
Use a wizard and select a value for specific attribute categories. Those selections will then be applied to all pages and items within the application.
Configure values for individual pages, items, or application items.
Topics:
Tip: Before you can configure security attributes, you must first enable Session State Protection. See "Enabling Session State Protection". |
You can review a summary of Session State Protection settings for pages, items, and application items on the first page of the Session State Protection wizard.
To view summaries of existing Session State Protection settings:
Navigate to the Session State Protection page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, select Session State Protection.
The Session State Protection page appears.
Click Set Protection.
Expand the following reports at the bottom of the page:
Page Level Session State Protection Summary
Page Item Session State Protection Summary
Application Item Session State Protection
When you configure Session State Protection using a wizard, you set a value for specific attribute categories. Those selections are then applied to all pages and items within the application.
To configure Session State Protection using a wizard:
Navigate to the Session State Protection page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, select Session State Protection.
The Session State Protection page appears.
Click Set Protection.
The Session State Protection wizard appears.
Under Select Action, select Configure and click Next.
For Page Access Protection, select one of the following:
Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).
Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.
No URL Access - The page may not be accessed using a URL; however, the page may be the target of a Branch to Page branch type, which does not do a URL redirect.
For Application Item Protection, select one of the following:
Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is also provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled.
Use this attribute for application items or for page items with any of these Display As types:
Display as Text (escape special characters, does not save state)
Display as Text (does not save state)
Display as Text (based on LOV, does not save state)
Display as Text (based on PLSQL, does not save state)
Text Field (Disabled, does not save state)
Stop and Start HTML Table (Displays label only)
For Page Data Entry Item Protection, select one of the following:
Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
For Page Display-Only Item Protection, select one of the following:
Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled.
This attribute may be used with any of these Display As types:
Display as Text (escape special characters, does not save state)
Display as Text (does not save state)
Display as Text (based on LOV, does not save state)
Display as Text (based on PLSQL, does not save state)
Text Field (Disabled, does not save state)
Stop and Start HTML Table (Displays label only)
Click Next.
Click Finish.
To configure Session State Protection for Pages:
Navigate to the Session State Protection page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, select Session State Protection.
The Session State Protection page appears.
Click the Page icon.
To filter the view, use the Page, Display, and Page Access Protection lists at the top of the page.
Select a page number.
The Set Page and Item Protection page appears. The following information displays at the top of the page:
Application ID and name
Session State Protection status (Enabled or Disabled)
Page Number
Page name
For Page Access Protection, select one of the following:
Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).
Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.
No URL Access - The page may not be accessed using a URL; however, the page may be the target of a Branch to Page branch type, which does not do a URL redirect.
For Item Types, select Data Entry Items or Display-only Items.
Data Entry items are items that can be altered using forms and include hidden items. Display-Only items are rendered only and are not submitted with the form.
If you select Data Entry Items, select a session state protection level for each item:
Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
If you select Display-only Item, select a session state protection level for each item:
Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled. This attribute may be used with any of these Display As types:
Display as Text (escape special characters, does not save state)
Display as Text (does not save state)
Display as Text (based on LOV, does not save state)
Display as Text (based on PLSQL, does not save state)
Text Field (Disabled, does not save state)
Stop and Start HTML Table (Displays label only)
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
Click Apply Changes.
To configure Session State Protection for items:
Navigate to the Session State Protection page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, select Session State Protection.
The Session State Protection page appears.
Click the Item icon.
To filter the view, select from the Page, Display, and Item Session State Protection lists at the top of the page and click Go.
Select a page number.
The Edit Session State Protection for Page and Items page appears. The following information displays at the top of the page:
Application ID and name
Session State Protection status (Enabled or Disabled)
page Number
Page name
For Page Access Protection, select a session state protection level for each item:
Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).
Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.
No URL Access - The page may not be accessed using a URL, however the page may be the target of a Branch to Page branch type, which does not do a URL redirect.
For Item Types, select Data Entry Items or Display-only Items.
Data Entry items are items that can be altered using forms and include hidden items. Display-Only items are rendered only and are not submitted with the form.
If you select Data Entry Items, select a session state protection level for each item:
Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
If you select Display-only Item, select a session state protection level for each item:
Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled. This attribute may be used with any of these Display As types:
Display as Text (escape special characters, does not save state)
Display as Text (does not save state)
Display as Text (based on LOV, does not save state)
Display as Text (based on PLSQL, does not save state)
Text Field (Disabled, does not save state)
Stop and Start HTML Table (Displays label only)
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
Click Apply Changes.
To configure Session State Protection for application items:
Navigate to the Session State Protection page:
On the Workspace home page, click the Application Builder icon.
Select an application.
Click Shared Components.
Under Security, select Session State Protection.
The Session State Protection page appears.
Click the Application Item icon.
Select an application item.
Under Security, select one of the following from the Session State Protection list:
Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is only applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled. This attribute may be used for application items or for page items with any of these Display As types:
Display as Text (escape special characters, does not save state)
Display as Text (does not save state)
Display as Text (based on LOV, does not save state)
Display as Text (based on PLSQL, does not save state)
Text Field (Disabled, does not save state)
Stop and Start HTML Table (Displays label only)
Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
Click Apply Changes.