21.2.5 Preventing URL Tampering
Session State Protection is a built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.
- How Session State Protection Works
Learn session state protection works. - Enabling Session State Protection
Enable Session State Protection in Shared Components. - Configuring Session State Protection
Learn how to configure Session State Protection.
Parent topic: Understanding Developer Security Best Practices
21.2.5.1 How Session State Protection Works
Learn session state protection works.
Enabling Session State Protection is a two-step process. First, you enable the Session State Protection feature in Shared Components. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.
When enabled, Session State Protection uses the Page Access
Protection and the item Session State Protection
attributes with checksums positioned in f?p=
URLs to prevent URL
tampering and unauthorized access to and alteration of session state. When Session State
Protection is disabled, the page and item attributes related to session state protection
are ignored and checksums are not included checksums in generated f?p=
URLs.
Parent topic: Preventing URL Tampering
21.2.5.2 Enabling Session State Protection
Enable Session State Protection in Shared Components.
Tip:
To disable Session State Protection, perform the steps described in this topic, but select Disable instead of Enable. Disabling Session State Protection does not change existing security attribute settings, but those attributes are ignored at runtime.
To enable Session State Protection:
Parent topic: Preventing URL Tampering
21.2.5.3 Configuring Session State Protection
Learn how to configure Session State Protection.
Tip:
Before you can configure security attributes, you must first enable Session State Protection. See Enabling Session State Protection.
- About Configuring Session State Protection
Learn about configuring Session State Protection. - Reviewing Existing Session State Protection Settings
Review a summary of Session State Protection settings for pages, items, and application items on the first page of the Session State Protection wizard. - Configuring Session State Protection Using a Wizard
Configure Session State Protection using a wizard. - Configuring Session State Protection for a Page
Configure Session State Protection for a page in Page Designer. - Configuring Session State Protection for Page Items
Configuring Session State Protection for page items in Page Designer. - Configuring Session State Protection for Application Items
Configuring Session State Protection for application items in Shared Components.
Parent topic: Preventing URL Tampering
21.2.5.3.1 About Configuring Session State Protection
Learn about configuring Session State Protection.
Once you have enabled Session State Protection, the next step is to configure security attributes. You can configure security attributes in two ways:
-
Use a wizard and select a value for specific attribute categories. Those selections are then applied to all pages and items within the application.
-
Configure values for individual pages, items, or application items.
Parent topic: Configuring Session State Protection
21.2.5.3.2 Reviewing Existing Session State Protection Settings
Review a summary of Session State Protection settings for pages, items, and application items on the first page of the Session State Protection wizard.
To view summaries of existing Session State Protection settings:
- Navigate to the Session State Protection page:
- Click Set Protection.
- Expand and review the following regions at the bottom of the page:
- Page Level Session State Protection Summary
- Page Item Session State Protection Summary
- Application Item Session State Protection
Parent topic: Configuring Session State Protection
21.2.5.3.3 Configuring Session State Protection Using a Wizard
Configure Session State Protection using a wizard.
To configure Session State Protection using a wizard:
Parent topic: Configuring Session State Protection
21.2.5.3.4 Configuring Session State Protection for a Page
Configure Session State Protection for a page in Page Designer.
To configure Session State Protection for a page:
Parent topic: Configuring Session State Protection
21.2.5.3.5 Configuring Session State Protection for Page Items
Configuring Session State Protection for page items in Page Designer.
To configure Session State Protection for items:
Parent topic: Configuring Session State Protection
21.2.5.3.6 Configuring Session State Protection for Application Items
Configuring Session State Protection for application items in Shared Components.
To configure Session State Protection for an application item:
Parent topic: Configuring Session State Protection