When users get a lot of these emails it is annoying they have to log in each time. Apex provides a way to avoid the login when a session exists in the same browser. This post describes how you can set it up using the Rejoin Sessions functionality.
In order to be able to rejoin an existing session a few settings have to be made.
The instance setting Rejoin sessions needs to be set to Enabled for All sessions. Log in as Instance Administrator and navigate to Manage Instance > Security :
The application setting Rejoin sessions needs to be set to Enabled for All sessions. As a developer go to Shared Components > Security Attributes > Session Management :
After setting this parameter you may be prompted to set the parameter Embed in frames to Deny or Allow from same Origin.
The link in the email usually contains parameters. Links with parameters should contain a checksum for session rejoining. So on the target page set Page Access Protection to Arguments must have checksum. Then provide the link URL with a checksum:
l_url := apex_util.prepare_url(l_url);
Use this URL in the notification email to your users.
When the user clicks on the link and there is no session in the browser he is prompted to login.
When the user clicks on the link and there is a session in the browser the target page is shown with the parameters from the URL. The user does not need to login a second time.
This method does not imply a security risk because an existing session is reused. When the user is not logged in the login page will be presented.
In this example the parameter names and values are exposed in the URL. To maximize the security these might be hidden by storing the actual URL in a table indexed with a hash value. The link in the email points to an intermediate page that uses the hash value to retrieve the actual URL and redirect to it.
Happy Apexing
Thanks! This was just what I was looking for.
ReplyDeleteHow to pass parameters to the target page if user is redirected to Login Page and then moves to the target page after a successful login?
ReplyDelete@Anonymous
ReplyDeleteYou can pass parameters the way you always do in an APEX URL. Check the APEX Boiler manual for the structure of the APEX URL.
Do not forget to execute prepare_url on this URL in order to generate the checksum
Kind regards,
Dick
Hi,
ReplyDeleteI am using Application Express 5.0.0.00.31 and after setting the Application level as well as page-level Rejoin Session to "Enabled For all Session" still I am getting the login page again after creating an apex session in the same tab. Trying to load the page without any parameters
what could be the reason?
vdp