APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Logout Not Invalidating Session

630762Jun 30 2008 — edited Jul 28 2008

One of our applications was recently scanned by Security and they were able to do a 'Session Replay Attack' in our application. The cookie does not appear to be expiring upon logout which allows a user to log back in under that session even after closing everything out. Our current Authentication Scheme is set to the following on logout:

wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=&APP_ID.:1000:&SESSION.

We are currently using APEX 2.2, can you provide any guidance as to how to expire the session cookie so no one can get in again?

Thank you,
Amy

Locked Post

New comments cannot be posted to this locked post.

Locked on Aug 25 2008

Added on Jun 30 2008

#apex-discussions

8 comments

1,983 views