Enabling Session State Protection

Previous
Previous
Next
Next

You can enable session state protection from either the Edit Security Attributes page or the Session State Protection page.

Enabling Session State Protection is a two step process. First, you enable the feature. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.

Topics:

Enabling Session State Protection from Edit Security Attributes

To enable Session State Protection from the Edit Security Attributes page:

  1. On the Database Home Page, click the Application Builder icon

  2. Select an application.

  3. Click Edit Attributes.

  4. Click Edit Security Attributes.

  5. Scroll down to Session State Protection and select Enabled from the Session State Protection list.

  6. To configure session Session State Protection, click Manage Session State Protection.

    The Session State Projection page appears.

  7. Navigate to the Edit Security Attributes page to set page and item security attributes.


Tip:

To disable Session State Protection, perform the previous steps again, but select Disabled instead of Enabled. Disabling Session State Protection will not change existing security attribute settings, but those attributes will be ignored at runtime.

About the Expire Bookmarks Button

Enabling Session State Protection affects whether or not bookmarked links to the current application will work. Consider the following rules:

  1. Bookmarked links created after Session State Protection is enabled will work if the bookmarked link contains a checksum.

  2. Bookmarked links created before Session State Protection is enabled will not work if the bookmarked link contains a checksum.

  3. Bookmarks that do not contain checksums or contain unnecessary checksums will not be affected by Session State Protection.

During page rendering, the Application Express engine uses a hidden application attribute (a checksum salt) during computation and to verify checksums included in f?p URLs. When you enable Session State Protection, the Application Express engine includes checksums. You can reset the checksum salt attribute by clicking Expire Bookmarks on the Edit Security Attributes page. Note that if you click Expire Bookmarks, bookmarked URLs used to access your application that contain previously generated checksums will fail.

Enabling Session State Protection from Session State Protection

To enable Session State Protection:

  1. Navigate to the Shared Components page:

    1. On the Database Home Page, click the Application Builder icon.

    2. Select an application.

    3. Under Security, select Session State.

      The Session State Protection page appears. Note the current Session State Protection status (Enabled or Disabled) displays at the top of the page.

  2. Click the Set Protection button.

    The Session State Protection wizard appears.

  3. Under Select Action, select Enable and click Next.

    Next, determine whether to set security attributes for pages and items.

  4. Select Enable and click Next.

  5. Click Enable Session State Protection.


Tip:

To disable Session State Protection, perform the same steps, but select Disable instead of Enable. Disabling Session State Protection will not change existing security attribute settings, but will be ignore them at run time.