Monday, May 18, 2009

APEX: Page Access Protection and Session State Protection

APEX's Page Access Protection (PAP - For Pages) and Session State Protection (SSP - For Items) are excellent security tools to help prevent users from altering session values. What some people may not be aware of is that if you enable PAP for page it does not prevent users from altering the session state of items on that page. All it does is require that any items passed through that page via the URL require a checksum. Malicious users can still alter the item's session state using AJAX or from other pages. Long story short, if you want to lock your application down you need to enable SSP for all required items.

APEX has a great tool to do this quickly for you rather than having to go into each page item. Shared Components / Session State Protection / Page / (click page number). You can now set the PAP and the SSP for all the page items.



If you do use PAP and SSP the following queries will help you do some quick validations to ensure all your security checks are in place

Pages without Page Access Protection

SELECT aap.application_id,
aap.application_name,
aap.page_id,
aap.page_name
FROM apex_application_pages aap
WHERE LOWER (aap.page_access_protection) = 'unrestricted'
AND aap.application_id = :app_id


Page items without Session State Protection

SELECT aapi.application_id,
aapi.application_name,
aapi.page_id,
aapi.page_name,
aapi.item_name
FROM apex_application_page_items aapi
WHERE aapi.application_id = :app_id
AND LOWER (aapi.item_protection_level) = 'unrestricted'


Pages which have Page Access Protection, but have page items with no Session State Protection

This query helps identify pages which you think are locked down, but end users could set the session state of item values

SELECT aapi.application_id,
aapi.application_name,
aapi.page_id,
aapi.page_name,
aapi.item_name
FROM apex_application_pages aap,
apex_application_page_items aapi
WHERE LOWER (aap.page_access_protection) != 'unrestricted'
AND aap.application_id = :app_id
AND aapi.application_id = aap.application_id
AND aap.page_id = aapi.page_id
AND LOWER (aapi.item_protection_level) = 'unrestricted'

3 comments:

  1. On a related issue, have you ever encountered the following:

    APEX 4.1.0.00.32, Oracle 11g 11.2.0.1

    I have a page with a select list; no redirect or submit for the select list. I have the PAP set for the page and I have the SSP set for the select list at 'Checksum Required - Session Level'. I have a simple DA that refreshes a report region when the select list changes. It does not work; the report regions is not refreshed! Within Firebug, I found the following: "Attempt to save item P110_APEX_USER in session state during show processing. Item protection level indicates 'Item may be set when accompanied by a "session" checksum.'. No checksum was passed in or the checksum passed in would be suitable for an item with protection level 'Item has no protection'".

    Everything works fine when I remove the PAP and all SSPs. This one baffles me! Any help would be appreciated.

    Thx!

    ReplyDelete
    Replies
    1. Hi Steph,

      When you're trying to refresh the report you're probably setting P110_APEX_USER (the select list). What happens is APEX will take the value from the select list (on the client's browser) and then try to set it via an AJAX call to set the value in session state before refreshing the report.

      Since the select list has SSP, and SSP does not happen on AJAX calls, it is raising the error.

      Martin

      Delete