During session setup, at the beginning of Apex' request processing, it approximately runs this code:
1. Write session id from the request (URL or POST parameter) into a global variable
2. Load application authentication metadata (cookie name, sentry function, invalid session function, etc.)
3. If a session global exists, run "Builtin Cookie Sentry":
3.1. Query the session table by the cookie value.
3.2. If the query's session id equals the global session id, the session information matches.
3.3. Otherwise, the session information is incomplete, reset session variable.
4. If this is not the login page, run application-specific sentries:
4.1. Run session sentry function's result if a function is defined
4.2. If the sentry function returned true, run the validation function if it is defined
5. "Create / Reuse Session"
5.1. If the session variable points to a valid session record, read user and other variables from the session record
5.2. Otherwise, create a new, unauthenticated session
6. Write a new HTTP session cookie if a new session was created
7. If the sentries (4.) returned false, run "Invalid Session Handling":
7.1. Save deep link to current page
7.2. Run invalid session function if a function is defined
7.3. Redirect to authentication's "Session Not Valid" url
This is only an overview and implementation details may change. However, I think it can show the main problems with using the invalid session function for session joining:
- In (4.1), the engine creates a new session record and session id
- In (6), the engine writes a session cookie
- The invalid session function changes the global session id variable back to the old session, but there is still a newly created session
- The invalid session function re-inits the htp buffer and thereby undoes (6) from above. The session joining would create a new session for each request, otherwise.
My proposal is that you use a session sentry function instead. Here's an example:
function session_joining_sentry return boolean is
l_cookie_session_id number;
l_user APEX_WORKSPACE_SESSIONS.USER_NAME%TYPE;
l_result boolean;
procedure dbg(p_str in varchar2)
is
begin
apex_application.debug('session_joining_sentry: '||p_str);
end dbg;
begin
if APEX_CUSTOM_AUTH.GET_SESSION_ID is not null then
dbg('apex could already determine session by URL session id and cookie value');
l_result := true;
else
dbg('apex could not determine session by URL session id and cookie value');
l_cookie_session_id := APEX_CUSTOM_AUTH.GET_SESSION_ID_FROM_COOKIE;
if l_cookie_session_id is not null then
dbg('apex found session via cookie. we try to re-use this as our current session id');
begin
select user_name
into l_user
from APEX_WORKSPACE_SESSIONS
where apex_session_id = l_cookie_session_id;
l_result := true;
exception when NO_DATA_FOUND then
dbg('session could not be found in session table - sentry fails');
l_result := false;
end;
if l_result then
dbg('re-using session for user '||l_user);
APEX_CUSTOM_AUTH.DEFINE_USER_SESSION (
p_user => l_user,
p_session_id => l_cookie_session_id);
end if;
else
dbg('apex could not find the session cookie. sentry fails');
l_result := false;
end if;
end if;
return l_result;
end session_joining_sentry;总结,创建函数session_joining_sentry,在Shared Components->Authentication Schemes 中的选择当前使用,在Session Not Valid上写上该函数名。
转载自:https://cn.forums.oracle.com/forums/thread.jspa?messageID=10218874
3307
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
