Subject: APEX 26.1 - apex_session.delete_session cascades and kills ALL sessions sharing multi-app bindings
Environment:
Oracle APEX 26.1.0, ORDS 26.1.1, Oracle Database 19c
Multiple APEX applications in one workspace sharing a custom authentication scheme with common cookie. Users have concurrent sessions across apps from browser tabs.
The concurrent sessions in tabs are created with p_request => 'APEX_CLONE_SESSION' so they are isolated with eachother.
Each tab has its own session and this works like charm.
Need:
There is need to give end-user a tool to delete/kill older active sessions they don't need and are ready to sacrifice to be able to open new sessons.
So special administrative session kill page that allows a end user to terminate selected APEX session from active list of sessions.
Problem:
When apex_session.delete_session(p_session_id => :target_session_id) it does not kill only the target - it kills ALL active sessions for all users that share multi-app session bindings in the same workspace including the current session.
Tests:
- Our PL/SQL wrapper package: tested with raw apex_session.delete_session in an APEX Ajax On Demand process, Dynamic plsql, page submit and they all cascade deletes.
- The Ajax/JavaScript layer: same cascade with a simple page submit process.
- Custom auth cookie: tested with and without, no difference in behaviour.
- apex_authentication.logout() loop: called logout(p_session_id => target, p_app_id => each distinct app from apex_workspace_activity_log) in a loop before delete_session - still cascades.
- APEX Workspace Admin UI: Manage Service > Session State > Recent Sessions > Remove Session - also cascades for multi-app sessions.
Key finding that narrows the cause - standalone sessions can be killed
We have a separate standalone session_killer application http header auth SSO authentication with no custom cookie scheme. Sessions in that app are bound to one application only. When apex_session.delete_session is called from that app against a target session that also only has one-app bindings, the kill is clean - caller survives, other sessions survive, only the target is terminated. Actually there are old otn articles pinpointing this solution.
The cascade occurs when the target session has activity across multiple applications (custom auth cookie spans sentry and satellite apps with common global items). The number of apps the target session is bound to is the only variable that correlates with cascade vs no cascade.
Question:
Is this cascade behaviour by design in APEX for sessions with multi-app bindings? It appears apex_session.delete_session cleans up per-app session-state rows in a way that also resets shared workspace state visible to other active sessions.
Is there a best practice to terminate one specific session without cascading to other sessions that happen to share multi-app bindings in the same workspace?
Also is this related to bug 38596600 reported in APEX 24.2.12 but fixed later on?
Any guidance on the correct way to safely kill one specific session in a multi-app workspace appreciated.
@christian-neumueller-oracle I think you might have insight to these cloned sessions?
Rgrds Paavo