Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Stopping users skipping wizard progress (sign-up with validation function) on public pages?

K4EJul 5 2017 — edited Jul 5 2017

Good morning,

My install DB is 12.1R2 on apex 5.1.1 and latest version of ORDS.

I have a requirement to have 3 public pages on a internal application that allows users a self sign up process.  I am looking into some best practices around security and have some things i would like to resolve.

My process is a wizard progress & my first page P1 in the wizard progress is to enter some information and it uses a validation function on submit to next page (PLSQL return bool) to check that those details.  If the details found TRUE navigate to page 2 if not spit out error for user to enter again.  On P2 user then enters some extra information and can navigate to P3 to finalize (check entered details) and submit.  Now my issue is that a user can just manually enter the URL to page P2 and bypass the validation function enter the data on P2 and move to P3 (check details).

Now for the process on P3 (to verify entered infor) I retrieve the values on a before header process for example:

P3_EMAIL := P1_EMAIL; (example)

P3_DOB := P1_DOB; (example)

The items are protected with do not allow set by URL & the submit button has a condition on it that the fields must not be null so if P1 was skipped then P3 will retrieve null and the submit condition will not be allowed.

Now for my own sanity how to stop users doing the above.  My idea was to have a hidden item on P2 that i could populate with Y which is sent from the P1 branch is the validation is successful and the items/region to enter/show would only be shown on P2 = Y and if its null (ie page navigated from URL) show another region (alert) saying you need to complete Page 1 on the list to see this so go back.

Does anyone have a more elegant solution to this issue? If my way works how to I get around the idea that the hidden element cannot be tampered with.  I i use SSP as restricted - may not be set from browser I cannot set the item to Y from the branch as i get the error message :

The checksum computed on the request, clear cache, argument names, and argument values (RPP20_NEWY [-ZYarI2k3M81LlQvo9QeykQlMi3eWJObbBCFheSR8RZEH0ftYs-Ar4QJFHIsODvILMudPseS_WGjgwqCVmcG_A]) did not match the checksum passed into the show procedure (a9LipShydzyvGYV2Z9n-ubUTu92YasL8KBpfFgftyLybZGd5E2QB_Jzq2GythsaICX7p7B66gqFGV1qurh7ziQ). Note: End users get a different error message.

So would i just create a process after validation but before branch that sets the next pages hidden item to Y via PL/SQL process and have that item as restricted so its never tampered by the browser?

Any help or advice will be appreciated.

Regards

K4E
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 2 2017
Added on Jul 5 2017
#apex-discussions
4 comments
506 views