Hi, there is a issue and I'm not sure if it's possible to fix it inside APEX or if there is another workaround to solve this.
Actually this only affects the DEV environment, which is accessible via http and https.
This is not a problem if you redirect all http Requests to https.
Example:
There is a NGINX with two listeners, one 80 and one 443. Both reverse proxy to the ORDS. Short version:
[...]
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
proxy_pass http://localhost:8080;
}
}
[...]
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
location / {
proxy_pass https://localhost:8443;
}
}
[...]
Now, only reproducable, if the browser is not on the same host as the NGINX, so the bug will not raise if you call https://localhost/ords…
Steps to reproduce:
- Open the Browser
- call https://myproxyserver/ords/f?p=100 (or any other app)
- call http://myproxyserver/ords/f?p=100 => ERR_TOO_MANY_REDIRECTS
What works:
- Close the Browser and open it again
- call http://myproxyserver/ords/f?p=100
- call https://myproxyserver/ords/f?p=100
- call http://myproxyserver/ords/f?p=100 => WORKS
So what is happening here?
If you first open the app in https-Mode, you receive a cookie with secure-flag. After you open the same application in http-Mode, the App can't access the cookie, tries to give you a new session and can't access the cookie, and so on… => endless loop
If you first open the app ini http-Mode the cookie stays in secure=false and it always works.
Question: What can I do? What can APEX do?
I have no idea, but a possible solution: What if APEX uses different cookie-Names for secure and insecure access?
Actually I'm even not sure if this is really a bug that should be solved but if there is a way I would like to know!