APEX

I am just finishing off on a project where I have been mostly doing APEX and PL/SQL work. The system is deployed and in production but I have noticed a bug which has some pretty frightening consequences and want to nip it in the bud before users discover it. I suspect they might have already found it!

The application uses SSO for authentication. If the logout URL is selected the app redirects to page 101 and after examining session state, everything is gone. All looks good but hitting the back button presents the last page and following any link proves the app is still under the impression that authentication is valid.

This is a worry but the real concern is that on P101, if I enter a new username and ANY password, I then get back into the app as that new user.

I have tried both of the following URLs for the logout definition and this is used in the header shortcut that appears on most of the page templates:

wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=&APP_ID.:101

http://&P0_SERVER.&P0_SCRIPT./wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://&P0_SERVER.:443/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://&P0_SERVER.&P0_SCRIPT./f?p=&APP_ID.:PUBLIC_PAGE

Page zero contains a couple of items which manage the server and script values as these differ on DEV and PROD.

Any help greatly appreciated.

Phil