Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Logged Out session can be accessed again After logout (DAD authentication)

49708Oct 10 2007 — edited Oct 15 2007
Hello,
Please find the details of my problem below:

SCENERIO:
----------------------------------------------------------
Current Authentication: No Authentication (USING DAD)

Authorization: MYAUTH
Frequency: Once Per Session

declare
lv_retval boolean;
lv_srec pkg_myutil.r_sessionrectype;
begin
begin
-- This is NOT Apex Session. I am checking the entry in a table to make sure user is logged in
-- and the link is not opened directly. In short making sure user opened the Apex link from the
-- Oracle Forms application.
lv_srec :=pkg_myutil.get_session_info(:P1_SID);
if lv_srec.valid_session then
lv_retval := TRUE;
else
lv_retval := FALSE;
end if;
exception
when others then
lv_retval := FALSE;
end;
return lv_retval;
end;

The Application Security property Authorization is set to : MYAUTH

Logout Navigation Bar Entries-URL TARGET: http://myapp.mycompany.com/pls/apex/apex_custom_auth.logout?p_this_app=105&p_next_url=http://mycompany.com
( I cannot put this in the Authentication Logout URL as using -DATABASE- as sentry function (DAD authentication) gives me error: No functional attributes may be set when page sentry function is '-DATABASE-'.))
so i directly modified the navigation bar entry

---------------------------
Now I open the apex link from my forms application, and it Works fine. For example

http://myapp.mycompany.com/pls/QRYONLYDAD/f?p=105:1:2524984933940261::NO::P1_SID:0137099300:
The authorization function takes the P1_SID value and checks in database,finds the entry so returns TRUE to display the page 1 which i call Menu page.

If I click logout, it works and takes me to the Mycompany home page.

My question:
If save that link and try to access it again AFTER LOGOUT, it still displays the page. Although the session is logged out, how come it still allows to access the page? The authorization function also doesn't fire which would have prevented it atleast. How APEX knows it still a valid session even after logout happens?
I can see that Since there is DAD authentication, the login happens automatically........ but I cannot change that method. What other option do i have?

Please help.

Jay
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 12 2007
Added on Oct 10 2007
#apex-discussions
8 comments
1,403 views