3 Replies Latest reply: May 14, 2013 8:23 PM by RichS RSS

    Session State Encryption - Why use it?

      I'm interested in the main reasons for using the session state encryption attribute setting. As session state can only be viewed by a developer or administrator does this setting have any advantage for a runtime user? What is the purpose of this setting if the developer can see the actual value in the page item anyway?
      thanks in advance
        • 1. Re: Session State Encryption - Why use it?

          When set that attribute to "Yes" item value is encrypt when it is stored to APEX session state.
          Admin or developer can not see users plain value when query e.g. APEX views.
          Session state that is sensitive can be encrypted when stored in Application Express session state management tables. To maintain session state encrypted for this item set the value to Yes. Values up to 4000 bytes in length can be encrypted. Attempts to encrypt values longer than 4000 bytes will produce an error message.

          My Blog: http://dbswh.webhop.net/htmldb/f?p=BLOG:HOME:0
          Twitter: http://www.twitter.com/jariolai
          • 2. Re: Session State Encryption - Why use it?
            Thanks for your response Jarola, but could you give me a practical example of where I would use this. I'm a bit confused about what the user sees and what a developer would see.
            thanks in advance
            • 3. Re: Session State Encryption - Why use it?
              Here's a practical example...

              Let's say you have an application that stores PII (Personally Identifiable Information). You don't want developers and/or DBAs to see that information by querying the session state tables underneath APEX, so you enable Session State Encryption.

              You could also use Data Vault to then protect that information when it goes into your application tables (not the APEX tables, your tables).