1. App Builder User's Guide
  2. Managing Application Security
  3. Understanding Developer Security Best Practices
  4. About Items of Type Password

20.2.1 About Items of Type Password

Password items do not emit the text entered to the web browser screen. When creating password items, Oracle recommends using password attributes that do not save session state to prevent the password from being saved in the database in the session state tables.

Configurable password item type attributes include:

  • Validation, Value Required - If set to On and the page item is visible, Oracle Application Express automatically performs a NOT NULL validation when the page is submitted. If set to No, no validation a NULL value is accepted.

  • Settings, Submit when Enter pressed - If set to On, when the user presses the ENTER key in the field the page is submitted.

  • Source, Maintain Session State - If set to Per Request (Memory Only), the value will not be written to the database and will only be available for the current request. For highly sensitive values, this is the preferred setting. However, if the value of Maintain Session State is set to Per Session (Disk), be sure to set Store value encrypted in session state to Yes.

  • Security, Authorization Scheme - Optionally select an authorization scheme which must evaluate to TRUE in order for this component to be rendered or otherwise processed.

  • Security, Session State Protection - You can select the level of session state protection by setting this attribute to Unrestricted or Restricted.

    • Unrestricted means the item may be set by passing the item in a URL or in a form. No checksum is required in the URL.

    • Restricted means the item may not be set from a browser. Use this when you want to restrict the way that the item value can be set to internal processes, computations, and so on. This attribute is applicable only to items that cannot be used as data entry items and is always observed, even if Session State Protection is disabled.

  • Security, Store value encrypted in session state - You can encypt sensitive content stored in Application Express session state management tables. To encrypt an item when stored in session state, set this attribute to On. To learn more, see "About Session State and Security".

See Also:

Parent topic: Understanding Developer Security Best Practices