4 Replies Latest reply: Apr 14, 2014 7:20 AM by tomvdduin RSS

    Apex without cookies

    tomvdduin

      Hello all,

       

      Is it possible for apex not to use a session cookie? We're using Apex 4.2.4. The reason why I ask this, is that we made a page with a form that is used in an iframe on a lot of different domains (right now, 15 domains, but is't adding up). Because the Apex form is hosted on the same url for all the iframes, Sarari doesn't show the form (because the Apex form is hosted on apex.somedomain.com and the page with the iframe is hosted on anotherdomain.com, safari ignores the cookie and doesn't show the form). We want to support Safari, because of the iPad users...

       

      Is that possible or is there another sollution for my problem? We now make redirect subdomains, so apex.anotherdomain.com is redirected to the same ip address as apex.somedomain.com. But it's a time consuming thing to do; none of the domains are in admin with us.

       

      Regards,

      Tom

        • 1. Re: Apex without cookies
          Christian Neumueller-Oracle

          Hi Tom,

           

          cookies are necessary to get session security right. Technically it is possible, though, by entering an undocumented value as cookie name and writing the session sentry in a certain way. But before I give you any more details on that, can you please check whether Safari shows any errors in it's debug console? My experience with other browsers is that you typically see messages that explain why some resource could not be loaded. This issue reminds me of similar problems with Internet Explorer, that allows cross domain cookies with P3P response headers.

           

          Regards,

          Christian

          • 2. Re: Apex without cookies
            tomvdduin

            Hi Christian,

             

            Sorry for my late reply. Safari gives the following error in the debug console: GET http://apex.otherdomain.com/apex/f?p=... too many HTTP redirects. It is just a simple form where a user can get a subscription for a magazine. Can you maybe explain what the undocumented cookie name is, what I have to add in the session sentry function and perhaps what the disadvantages are?

             

            Regards,

            Tom

            • 3. Re: Apex without cookies
              Christian Neumueller-Oracle

              Hi Tom,

               

              you get the redirects because Safari by default does not allow 3rd party cookies. They can be enabled in the browser settings:

               

                http://support.apple.com/kb/HT1677

               

              If this is not feasible for your customers, you can configure APEX to run without a session cookie. As I mentioned, this makes your application less secure. An attacker who finds out a user's session id can take the session over on another machine. This is not a theoretical threat, there are several ways how an attacker can find out session IDs. Therefore, I generally do not recommend running without a cookie from a security point of view. It may be acceptable when the application is not security relevant, though. The application should *only* contain this simple form you mentioned. If your application is larger, split it and move this page into a new app. In this application, change the authentication scheme's cookie name to "-NO_COOKIE-". The scheme type can be "No Authentication (using DAD)".

               

              Regards,

              Christian

              • 4. Re: Apex without cookies
                tomvdduin

                Hi Christian,

                 

                I'm aware of the setting in Safari. Because theoretically, everyone in the whole world is our customer, that's not a very acceptical sollution...

                 

                But the '-NO_COOKIE-' option works great! Thank you for giving me that sollution. As our application only containts that one page, the security risk is minimal.

                 

                Regards,

                Tom