when an application with APEX authentication requires a password change, it navigates to the change password page 4155:50. It also passes the application's home link as deep link, so the change password page knows where to redirect to, when you hit [Return]. I have never heard of a case where this redirects to 4550:1. Can you please post the exact page flows (app id : page id) for this interaction?
Btw, for internet facing systems, you should really consider using a runtime only installation. This significantly reduces the available interfaces. In your scenario, it is trivial for an external client (or an attacker who maybe scanned IP ranges and found your server) to directly navigate to the APEX login page and make some login attempts.
Thanks for you response.
Please let me clarify the following:
- When the user is prompted to change their password it first navigates to the normal APEX password change page you specified above - 4155:50.
- When the user enters their current and new passwords and hits [Return] then APEX directs the user to page 4550:1
- This issue occurs intermittently and cannot be reproduced at will.
- BTW: I agree with you that external internet facing applications should have a build status of ‘Run Application Only’. The build status was left at Run and Build by mistake.
As requested the page flows are as follows:
The user Enter old and new password
The user Hit [Return]
- The user is then redirected to p=4550:1
I hope this is helpful.
thanks for the additional information.
I meant that an internet facing site maybe should not have the APEX development environment installed at all. You can just install the runtime components of APEX, to remove attack vectors.
Intermittent issues are always tricky to diagnose. How often does this happen? Are you seeing anything suspicious in the web server logs? Speaking of web server, what are you using? A bug can never be ruled out, but I suspect that there is a configuration issue somewhere. If you have a support contract, I suggest that you open a service request. You could give login credentials of your app to support, to let them diagnose the issue.