1 year ago

#327067

test-img

Sam Henry

Apex is overwriting session/cookie with custom login

Our company has a custom login with Oracle Apex. We are upgrading from 5.x to 19.x due to AWS's forced ORDS upgrade at the end of the month. When logging in, we see the session data in the APEX_210100.wwv_flow_sessions$ table, and we're setting some session variables with that session ID using apex_util.set_session_state.

Logging in

Here, we log in the user to create the session. Then, we pull the session ID and cookie value out. It's worth noting that remote_addr is null for the created session.

select workspace_id
into l_workspace_id
from APEX_210100.apex_applications
where application_id = <app_id>;

APEX_210100.wwv_flow_api.set_security_group_id(l_workspace_id);
APEX_210100.wwv_flow_custom_auth_std.login(P_UNAME => '<username>',
                             P_PASSWORD => '<password>',
                             P_SESSION_ID => APEX_210100.V('SESSION_ID'),
                             P_FLOW_PAGE => '<app_id>:<page_id>');

select id, cookie_value into v_session_id, v_cookie_value
from APEX_210100.WWV_FLOW_SESSIONS$
where security_group_id=l_workspace_id
    and remote_addr is null
    and username='<username>'
    and created_on=(
        select max(created_on)
        from APEX_210100.WWV_FLOW_SESSIONS$
        where security_group_id=l_workspace_id
            and remote_addr is null
            and username='<username>'
    );

Setting common session variables

Next, we set the common session variables

for x in (select * from APEX_210100.WWV_FLOW_COMPUTATIONS where computation_type='STATIC_ASSIGNMENT' and FLOW_ID=115)
loop
    APEX_210100.APEX_UTIL.set_session_state(p_name => x.computation_item, p_value => x.computation);
end loop;

for x in (select * from APEX_210100.WWV_FLOW_COMPUTATIONS where flow_id = 115 and computation_point in ('ON_NEW_INSTANCE', 'AFTER_LOGIN') and COMPUTATION_TYPE = 'QUERY')
loop
    APEX_210100.APEX_UTIL.set_session_state(p_name => x.computation_item, p_value => x.computation);
end loop;

Redirecting to Apex pages

Lastly, we redirect to the Apex page with the session ID and cookie values.

const apexRedirect = `/web/f?p=${app}:${landPage}:${sessionId}:::::#17671`;
res.setHeader('Location', apexRedirect);
res.setHeader(
    'Set-Cookie',
    `ORA_WWV_APP_<app_id>=${cookie}; Path=/web/; Secure; SameSite=None; HttpOnly`
);
res.sendStatus(302);

Results

For some reason, when logging in with the session ID and cookie, Apex just resets the session ID/cookie to a new one with the username "nobody". Is there something wrong with the session we're creating?

oracle-apex

oracle-apex-5.1

oracle-apex-19.2

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs