20.2.5 Preventing URL Tampering
Session State Protection is a built-in functionality that prevents hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.
- How Session State Protection Works
- Enabling Session State Protection
- Configuring Session State Protection
Parent topic: Understanding Developer Security Best Practices
20.2.5.1 How Session State Protection Works
Enabling Session State Protection is a two-step process. First, you enable the Session State Protection feature in Shared Components. Second, you set page and item security attributes. You can perform these steps using a wizard, or you can set security attributes for pages and items manually on the Session State Protection page.
When enabled, Session State Protection uses the Page Access
Protection and the item Session State Protection
attributes with checksums positioned in f?p=
URLs to prevent URL
tampering and unauthorized access to and alteration of session state. When Session State
Protection is disabled, the page and item attributes related to session state protection
are ignored and checksums are not included checksums in generated f?p=
URLs.
Parent topic: Preventing URL Tampering
20.2.5.2 Enabling Session State Protection
To enable Session State Protection:
Tip:
To disable Session State Protection, perform the same steps, but select Disable instead of Enable. Disabling Session State Protection does not change existing security attribute settings, but those attributes are ignored at runtime.
Parent topic: Preventing URL Tampering
20.2.5.3 Configuring Session State Protection
Tip:
Before you can configure security attributes, you must first enable Session State Protection. See "Enabling Session State Protection".
- About Configuring Session State Protection
- Reviewing Existing Session State Protection Settings
- Configuring Session State Protection Using a Wizard
- Configuring Session State Protection for a Page
- Configuring Session State Protection for Page Items
- Configuring Session State Protection for Application Items
Parent topic: Preventing URL Tampering
20.2.5.3.1 About Configuring Session State Protection
Once you have enabled Session State Protection, the next step is to configure security attributes. You can configure security attributes in two ways:
-
Use a wizard and select a value for specific attribute categories. Those selections are then applied to all pages and items within the application.
-
Configure values for individual pages, items, or application items.
Parent topic: Configuring Session State Protection
20.2.5.3.2 Reviewing Existing Session State Protection Settings
To view summaries of existing Session State Protection settings:
- Navigate to the Session State Protection page:
- Click Set Protection.
- Expand and review the following regions at the bottom of the page:
- Page Level Session State Protection Summary
- Page Item Session State Protection Summary
- Application Item Session State Protection
Parent topic: Configuring Session State Protection
20.2.5.3.3 Configuring Session State Protection Using a Wizard
To configure Session State Protection using a wizard:
Parent topic: Configuring Session State Protection
20.2.5.3.4 Configuring Session State Protection for a Page
To configure Session State Protection for a page:
Parent topic: Configuring Session State Protection
20.2.5.3.5 Configuring Session State Protection for Page Items
To configure Session State Protection for items:
Parent topic: Configuring Session State Protection
20.2.5.3.6 Configuring Session State Protection for Application Items
To configure Session State Protection for an application item:
Parent topic: Configuring Session State Protection