Monday 12 June 2017

Avoiding multiple logins from external Apex links

Some Apex applications sends notifications emails to users when tasks are due. These emails contain a link to an Apex page. When the user clicks on the link he is taken to the page. When this page is not public - which usually is the case - he is directed to the login page of the application. Even when he is logged in for the same browser on another tab.
When users get a lot of these emails it is annoying they have to log in each time. Apex provides a way to avoid the login when a session exists in the same browser. This post describes how you can set it up using the Rejoin Sessions functionality.

In order to be able to rejoin an existing session a few settings have to be made. 

The instance setting Rejoin sessions needs to be set to Enabled for All sessions. Log in as Instance Administrator and navigate to Manage Instance > Security  


The application setting Rejoin sessions needs to be set to Enabled for All sessions. As a developer go to Shared Components > Security Attributes > Session Management :



After setting this parameter you may be prompted to set the parameter Embed in frames to Deny or Allow from same Origin

The link in the email usually contains parameters. Links with parameters should contain a checksum for session rejoining. So on the target page set Page Access Protection to Arguments must have checksum. Then provide the link URL with a checksum:

l_url := apex_util.prepare_url(l_url);

Use this URL in the notification email to your users. 
When the user clicks on the link and there is no session in the browser he is prompted to login. 
When the user clicks on the link and there is a session in the browser the target page is shown with the parameters from the URL. The user does not need to login a second time. 

This method does not imply a security risk because an existing session is reused. When the user is not logged in the login page will be presented. 

In this example the parameter names and values are exposed in the URL. To maximize the security these might be hidden by storing the actual URL in a table indexed with a hash value. The link in the email points to an intermediate page that uses the hash value to retrieve the actual URL and redirect to it. 

Happy Apexing












4 comments:

Anonymous said...

Thanks! This was just what I was looking for.

Anonymous said...

How to pass parameters to the target page if user is redirected to Login Page and then moves to the target page after a successful login?

Dick Dral said...

@Anonymous

You can pass parameters the way you always do in an APEX URL. Check the APEX Boiler manual for the structure of the APEX URL.
Do not forget to execute prepare_url on this URL in order to generate the checksum

Kind regards,
Dick

Anonymous said...

Hi,

I am using Application Express 5.0.0.00.31 and after setting the Application level as well as page-level Rejoin Session to "Enabled For all Session" still I am getting the login page again after creating an apex session in the same tab. Trying to load the page without any parameters

what could be the reason?

vdp