20.2.5 Preventing URL Tampering

Session State Protection is a built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

20.2.5.1 How Session State Protection Works

Learn session state protection works.

Enabling Session State Protection is a two-step process. First, you enable the Session State Protection feature in Shared Components. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.

When enabled, Session State Protection uses the Page Access Protection and the item Session State Protection attributes with checksums positioned in f?p= URLs to prevent URL tampering and unauthorized access to and alteration of session state. When Session State Protection is disabled, the page and item attributes related to session state protection are ignored and checksums are not included checksums in generated f?p= URLs.

20.2.5.2 Enabling Session State Protection

Enable Session State Protection in Shared Components.

Tip:

To disable Session State Protection, perform the steps described in this topic, but select Disable instead of Enable. Disabling Session State Protection does not change existing security attribute settings, but those attributes are ignored at runtime.

To enable Session State Protection:

  1. Navigate to the Shared Components page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Security, select Session State Protection.
    The Session State Protection page appears. Note that the page displays the application name and current Session State Protection status (that is, Enabled or Disabled).
  2. Click Set Protection.

    The Session State Protection page appears.

  3. In the Session State Protection wizard:
    1. Select Action - Select Enable.

      When enabled, Session State Protection, uses the Page Access Protection page attributes and the Session State Protection item attributes in conjunction with checksums positioned in f?p= URLs to prevent URL tampering and unauthorized access to and alteration of session state.

      Tip:

      You can also adjust page and item security attributes manually. Select Enable, return to the Session State Protection page, and click the appropriate icon.
    2. Click Next.
    3. Click Enable.

      Next, determine whether to set security attributes for pages and items.

20.2.5.3 Configuring Session State Protection

Learn how to configure Session State Protection.

Tip:

Before you can configure security attributes, you must first enable Session State Protection. See Enabling Session State Protection.

20.2.5.3.1 About Configuring Session State Protection

Learn about configuring Session State Protection.

Once you have enabled Session State Protection, the next step is to configure security attributes. You can configure security attributes in two ways:

  • Use a wizard and select a value for specific attribute categories. Those selections are then applied to all pages and items within the application.

  • Configure values for individual pages, items, or application items.

20.2.5.3.2 Reviewing Existing Session State Protection Settings

Review a summary of Session State Protection settings for pages, items, and application items on the first page of the Session State Protection wizard.

To view summaries of existing Session State Protection settings:

  1. Navigate to the Session State Protection page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click Set Protection.
  3. Expand and review the following regions at the bottom of the page:
    • Page Level Session State Protection Summary
    • Page Item Session State Protection Summary
    • Application Item Session State Protection

20.2.5.3.3 Configuring Session State Protection Using a Wizard

Configure Session State Protection using a wizard.

When you configure Session State Protection using a wizard, you set a value for specific attribute categories. Those selections are then applied to all pages and items within the application.

To configure Session State Protection using a wizard:

  1. Navigate to the Session State Protection page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click Set Protection.

    The Session State Protection wizard appears.

  3. Select Action - Select Configure and click Next.

    Select security attributes for pages and items. You may accept the default settings displayed here, or make new selections. Note that the value you choose for an attribute category will be applied to all pages and items throughout the application.

  4. Page Access Protection:
    • Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).
    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
    • No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.
    • No URL Access - The page may not be accessed using a URL; however, the page may be the target of a Branch to Page branch type, which does not do a URL redirect.
  5. Page Data Entry Item Protection:
    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace and application. A user-level checksum or a session-level checksum will also suffice (see the next option). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace, application, and user. A session-level checksum will also suffice (see the next option). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the current session. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
  6. Page Display-Only Item Protection:
    • Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.
    • Restricted: May not be set from browser - The item may not be altered via the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled. This attribute may be used with any of these Display As types:
      • Display Only (Save State=No)
      • Display as Text (does not save state)
      • Display as Text (based on LOV, does not save state)
      • Display as Text (based on PLSQL, does not save state)
      • Text Field (Disabled, does not save state)
      • Stop and Start Grid Layout (Displays label only)
    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace and application. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace, application, and user. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
  7. Application Item Protection:
    • Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is only applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled. This attribute may be used for application items or for page items with any of these Display As types:
      • Display Only (Save State=No)
      • Text Field (Disabled, does not save state)
      • Stop and Start Grid Layout (Displays label only)
    • Checksum Required: Application Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace and application. A user-level checksum or a session-level checksum will also suffice (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
    • Checksum Required: User Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace, application, and user. A session-level checksum will also suffice (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
  8. Click Next.
  9. Click Finish.

20.2.5.3.4 Configuring Session State Protection for a Page

Configure Session State Protection for a page in Page Designer.

To configure Session State Protection for a page:

  1. View the page in Page Designer:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Select a page.
    Page Designer appears.
  2. In either the Rendering tab, select the page name.
    The Property Editor displays the page attributes in the right pane. Attributes are organized in groups.
  3. Find the Security group and edit the Page Access Protection attribute. Options include:
    • Unrestricted - The page may be requested using a URL, with or without session state arguments, and without having to have a checksum.
    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
    • No Arguments Allowed - A URL may be used to request the page, but the URL can not contain Request, Clear Cache, or Name/Value Pair arguments.
    • No URL Access - The page may not be accessed using a URL. However, the page may be the target of a Branch to Page branch type, as this does not perform a URL redirect.
  4. To save your changes, click Save.

20.2.5.3.5 Configuring Session State Protection for Page Items

Configuring Session State Protection for page items in Page Designer.

To configure Session State Protection for items:

  1. View the page in Page Designer:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Select a page.
    Page Designer appears.
  2. In either the Rendering tab or the Layout tab, select the page item.
    The Property Editor displays the page attributes in the right pane. Attributes are organized in groups.
  3. In either the Rendering tab, select the page item.
  4. Find the Security group .
  5. Under Security, edit the Session State Protection attribute. Options include:
    • Unrestricted - The item can be set by passing the item in a URL or in a form. No checksum is required in the URL.

    • Checksum Required - Application Level - The item can be set by passing the item in a URL that includes a checksum specific to the the workspace and application.

    • Checksum Required - User Level - The item can be set by passing the item in a URL that includes a checksum specific to the the workspace, application and user.

    • Checksum Required - Session Level - The item can be set by passing the item in a URL that includes a checksum specific to the the session.

    • Restricted - May not be set from browser - The item can not be altered using the URL or POSTDATA. Select this option to restrict what can set the item value to internal processes, computations, and so on. This attribute only applies to items that are not used as data entry items and is always observed, even if Session State Protection is disabled. Use this attribute for page or application items that have the following Display As types:
      • Display Only (Save State=No)
      • Text Field (Disabled, does not save state)
  6. To save your changes, click Save.

20.2.5.3.6 Configuring Session State Protection for Application Items

Configuring Session State Protection for application items in Shared Components.

To configure Session State Protection for an application item:

  1. Navigate to the Session State Protection page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Application Logic, select Application Items.

      The Application Items page appears.

  2. Click the name of an Application Item.
  3. Security, Session State Protection - Select Session State Protection for this item. Options include:
    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

    • Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is only applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled. This attribute may be used for application items or for page items with any of these Display As types:

      • Display Only (Save State=No)

      • Text Field (Disabled, does not save state)

      • Stop and Start Grid Layout (Displays label only)

    • Checksum Required: Application Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace and application. Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace, application, and user. Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the current session. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  4. Click Apply Changes.