1. App Builder User's Guide
  2. Managing Application Security
  3. Understanding Developer Security Best Practices
  4. Preventing URL Tampering

21.2.5 Preventing URL Tampering

Session State Protection is a built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

Parent topic: Understanding Developer Security Best Practices

21.2.5.1 How Session State Protection Works

Enabling Session State Protection is a two-step process. First, you enable the Session State Protection feature in Shared Components. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.

When enabled, Session State Protection uses the Page Access Protection and the item Session State Protection attributes with checksums positioned in f?p= URLs to prevent URL tampering and unauthorized access to and alteration of session state. When Session State Protection is disabled, the page and item attributes related to session state protection are ignored and checksums are not included checksums in generated f?p= URLs.

Parent topic: Preventing URL Tampering

21.2.5.2 Enabling Session State Protection

To enable Session State Protection:

  1. Navigate to the Shared Components page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Security, select Session State Protection.
    The Session State Protection page appears. Note the current Session State Protection status (Enabled or Disabled) displays at the top of the page.
  2. Click the Set Protection button.

    The Session State Protection wizard appears.

  3. Under Select Action, select Enable and click Next.

    Next, determine whether to set security attributes for pages and items.

  4. Select Enable and click Next.
  5. Click Enable Session State Protection.

Tip:

To disable Session State Protection, perform the same steps, but select Disable instead of Enable. Disabling Session State Protection does not change existing security attribute settings, but those attributes are ignored at runtime.

Parent topic: Preventing URL Tampering

21.2.5.3 Configuring Session State Protection

Tip:

Before you can configure security attributes, you must first enable Session State Protection. See "Enabling Session State Protection".

Parent topic: Preventing URL Tampering

21.2.5.3.1 About Configuring Session State Protection

Once you have enabled Session State Protection, the next step is to configure security attributes. You can configure security attributes in two ways:

  • Use a wizard and select a value for specific attribute categories. Those selections are then applied to all pages and items within the application.

  • Configure values for individual pages, items, or application items.

Parent topic: Configuring Session State Protection

21.2.5.3.2 Reviewing Existing Session State Protection Settings

You can review a summary of Session State Protection settings for pages, items, and application items on the first page of the Session State Protection wizard.

To view summaries of existing Session State Protection settings:

  1. Navigate to the Session State Protection page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click Set Protection.
  3. Expand and review the following regions at the bottom of the page:
    • Page Level Session State Protection Summary
    • Page Item Session State Protection Summary
    • Application Item Session State Protection

Parent topic: Configuring Session State Protection

21.2.5.3.3 Configuring Session State Protection Using a Wizard

When you configure Session State Protection using a wizard, you set a value for specific attribute categories. Those selections are then applied to all pages and items within the application.

To configure Session State Protection using a wizard:

  1. Navigate to the Session State Protection page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Security, select Session State Protection.

      The Session State Protection page appears.

  2. Click Set Protection.

    The Session State Protection wizard appears.

  3. Under Select Action, select Configure and click Next.
  4. Select a Page Access Protection:
    • Unrestricted - The page may be requested using a URL with or without session state arguments (Request, Clear Cache, Name/Values).
    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
    • No Arguments Allowed - A URL may be used to request the page but no Request, Clear Cache, or Name/Value arguments are allowed.
    • No URL Access - The page may not be accessed using a URL; however, the page may be the target of a Branch to Page branch type, which does not do a URL redirect.
  5. Select a Application Item Protection:
    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note:

      If you must set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).
    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. You can also use a user-level checksum or a session-level checksum (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.
    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. You can also use a session-level checksum (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.
    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is also provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.
    • Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled.

    Use the Restricted - May not be set from browser attribute for application items or for page items with any of these Display As types:

    • Display as Text (escape special characters, does not save state)

    • Display as Text (does not save state)

    • Display as Text (based on LOV, does not save state)

    • Display as Text (based on PLSQL, does not save state)

    • Text Field (Disabled, does not save state)

    • Stop and Start HTML Table (Displays label only)

  6. Select Page Data Entry Item Protection:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you must set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. You can also use a user-level checksum or a session-level checksum (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. You can also use a session-level checksum (see next bullet). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  7. Select a Page Display-Only Item Protection:

    • Unrestricted - The item may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

      Note: If you must set this item's value in session state using Ajax, then an Unrestricted protection level must be used for the item (for example in Dynamic Actions, Set Value, Page Items to Submit or Cascading LOVs, Page Items to Submit).

    • Checksum Required: Application Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the schema is provided. You can also use a user-level checksum or a session-level checksum (see next bullets). Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the current session is provided. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

    • Checksum Required: User Level - The item's session state may be set by passing the item name/value in a URL if a checksum specific to the workspace, application, and user is provided. You can also use a session-level checksum. Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Restricted: May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is always observed, even if Session State Protection is disabled.

      This attribute may be used with any of these Display As types:

      • Display as Text (escape special characters, does not save state)

      • Display as Text (does not save state)

      • Display as Text (based on LOV, does not save state)

      • Display as Text (based on PLSQL, does not save state)

      • Text Field (Disabled, does not save state)

      • Stop and Start HTML Table (Displays label only)

  8. Click Next.
  9. Click Finish.

Parent topic: Configuring Session State Protection

21.2.5.3.4 Configuring Session State Protection for a Page

To configure Session State Protection for a page:

  1. View the page in Page Designer:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Select a page.
    Page Designer appears.
  2. In either the Rendering tab or the Layout tab, select the page name.
    The Property Editor displays the page attributes in the right pane. Attributes are organized in groups.
  3. Find the Security group and edit the Page Access Protection attribute. Options include:
    • Unrestricted - The page may be requested using a URL, with or without session state arguments, and without having to have a checksum.
    • Arguments Must Have Checksum - If Request, Clear Cache, or Name/Value arguments appear in the URL, a checksum must also be provided. The checksum type must be compatible with the most stringent Session State Protection attribute of all the items passed as arguments.
    • No Arguments Allowed - A URL may be used to request the page, but the URL can not contain Request, Clear Cache, or Name/Value Pair arguments.
    • No URL Access - The page may not be accessed using a URL. However, the page may be the target of a Branch to Page branch type, as this does not perform a URL redirect.
  4. To save your changes, click Save.

Parent topic: Configuring Session State Protection

21.2.5.3.5 Configuring Session State Protection for Page Items

To configure Session State Protection for items:

  1. View the page in Page Designer:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Select a page.
    Page Designer appears.
  2. In either the Rendering tab or the Layout tab, select the page item.
    The Property Editor displays the page attributes in the right pane. Attributes are organized in groups.
  3. In either the Rendering tab or the Layout tab, select page item.
  4. Find the Security group .
  5. Under Security, edit the Session State Protection attribute. Options include:

    • Unrestricted - The item can be set by passing the item in a URL or in a form. No checksum is required in the URL.

    • Checksum Required - Application Level - The item can be set by passing the item in a URL that includes a checksum specific to the the workspace and application.

    • Checksum Required - User Level - The item can be set by passing the item in a URL that includes a checksum specific to the the workspace, application and user.

    • Checksum Required - Session Level - The item can be set by passing the item in a URL that includes a checksum specific to the the session.

    • Restricted - May not be set from browser - The item can not be altered using the URL or POSTDATA. Select this option to restrict what can set the item value to internal processes, computations, and so on. This attribute only applies to items that are not used as data entry items and is always observed, even if Session State Protection is disabled. Use this attribute for page or application items that have the following Display As types:
      • Display Only (Save State=No)
      • Text Field (Disabled, does not save state)
  6. To save your changes, click Save.

Parent topic: Configuring Session State Protection

21.2.5.3.6 Configuring Session State Protection for Application Items

To configure Session State Protection for an application item:

  1. Navigate to the Session State Protection page:
    1. On the Workspace home page, click the App Builder icon.
    2. Select an application.
    3. Click Shared Components.
    4. Under Application Logic, select Application Items.

      The Application Items page appears.

  2. Click the name of an Application Item.
  3. Select an application item.
  4. Under Security, edit Session State Protection. Options include:

    • Unrestricted - The item's session state may be set by passing the item name/value in a URL or in a form. No checksum is required in the URL.

    • Restricted - May not be set from browser - The item may not be altered using the URL or POSTDATA. Use this option when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is only applicable only to items that cannot be used as data entry items and is always observed even if Session State Protection is disabled. This attribute may be used for application items or for page items with any of these Display As types:

      • Display Only (Save State=No)

      • Text Field (Disabled, does not save state)

      • Stop and Start Grid Layout (Displays label only)

    • Checksum Required: Application Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace and application. Use this option when you want to allow the item to be set only by URLs having checksums that were generated by any user running the same application in the current workspace but in a different session.

    • Checksum Required: User Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the workspace, application, and user. Use this option when you want to allow the item to be set only by URLs having checksums that were generated by the same named user, running the same application in the current workspace but in a different session.

    • Checksum Required: Session Level - The item may be set by passing the item name/value in a URL if a checksum is also provided that is specific to the current session. Use this option when you want to allow this item to be set only by URLs having checksums that were generated in the current session.

  5. Click Apply Changes.

Parent topic: Configuring Session State Protection