Hi,
So we got a complaint from the DBAs about abnormal APEX usage on wwwv_flow.ajax, shortly after upgrade to 21.1.
After going through our access logs, we quickly spotted what looked like a concentrated DDOS on POST /ords/wwv_flow.ajax, where talking 30 to 40 times per client ip a second.
Thankfully it was relatively few clients and where quickly blocked in the front-end. (requests didn't stop, just never reached the application server)
After some research we discovered it was a page with a few Card regions and that the session was invalid. First we thought it was a programming issue with Javascript setInterval, but ruled that out and can now easily reproduce the problem.
Simply create a page and put a few card regions on it (we had them using the standard template to get the header)
Give them the same CSS class and separate ID's. Run the page, open another page within app in new tab/window with same session (right click navigation and open in new tab).
In new tab/window, log out. Go back the card page and using console perform a refresh on the card regions. This will trigger a cascading wall of POST requests from each region trying to refresh the data in the background, the page simply shows a modal notification window informing you that the session is expired. No way for the user to see that it's spamming the server as fast as it can make the browser send POST requests.
So let's say that the CSS name of the regions is card-regions then the Javascript would be something like
apex.jQuery(".card-regions").each(function() { if (this.id) {
console.log("Refreshing " + this.id);
apex.region(this.id).refresh();
}
});
Or simply create a button with this javascript code as the Dynamic Action it runs. Log out on other page, come back and click the button. Open Developer tools in browser and see the requests in the Network tab.
The POST requests are being answered by a http status 200, but with an error message within the JSON response.
{
"error":"Your session has ended"
,"addInfo":"Click \u003Ca href=\"f?p=127:1\"\u003Ehere\u003C\/a\u003E to create a new session."
,"pageSubmissionId":"18394672920996847759760842490543959706"
}
Tried and reproduced on Firefox and Chrome.
f127.zip (129.75 KB)Simple app using ALL_OBJECTS for data to demonstrate.
Run APP
Log in
Open navigation menu and open page 2 in new tab/window
Log out while still on page 2
Go to Page 1 and open Developer Console -> Network tab
Click the button in the Breadcrump region "Refresh Regions" (DA javascript that runs a refresh)
Watch the Network tab in Dev tools go crazy
We are running 21.1.0, but I went over the readme for patches leading to and with patch 4: https://updates.oracle.com/Orion/Services/download?type=readme&aru=24408591 and couldn't find any mention of this issue.
Regards
Oli