Forum Stats

  • 3,874,089 Users
  • 2,266,676 Discussions
  • 7,911,721 Comments

Discussions

APEX 3.2: Session Timeout URL & Substitution Items

Duncs
Duncs Member Posts: 507 Bronze Badge
edited Sep 16, 2009 2:01PM in APEX Discussions
This is one for the APEX guys.

Are there any plans to extend the number of substitution items supported in the "Session Timeout URL" or "Idle Timeout URL"

The documentation states that:

"Only three substitution items are supported in this URL: &APP_SESSION., &SESSION., and &APP_ID., although because of the particular purpose of this URL it is not necessary to include either &APP_SESSION. or &SESSION. in the link."

The one I am most interested in would be the addition of the "LOGOUT_URL" defined in your application authentication scheme.

I can see many people wanting to implement Session Timeout and once the session has expired, log them out of the application.

If the LOGOUT_URL substitution item was supported, it would make this task very simple indeed and not have to worry about changing the Session Timeout URL should your Logout URL ever change (as ours recently did when we moved from 10.1.2 OIM to 10.1.4 OIM)

I hope this can be implemented in a future release.

Regards

Duncan
Tagged:
«13

Answers

  • 60437
    60437 Member Posts: 16,564
    Duncan,

    When the session expires or times out, it gets deleted, so is the logout URL still important?

    Scott
  • Duncs
    Duncs Member Posts: 507 Bronze Badge
    As far as APEX is concerned I guess not but what about your SSO cookie? That is still active I assume when you are using SSO as your authentication scheme?

    If that is the case and your re-direct went to your apex homepage, you will get a new APEX session ID and cookie but you will use the currently active SSO session and hence not promted to re-login.

    Regards

    Duncan
  • 60437
    60437 Member Posts: 16,564
    Duncan - I'd suggest having the timeout URL go to a page that redirects to the logout URL in such a way that a notification page is the last thing the user sees, e.g., "you've been logged out because you exceeded the maximum allowable session idle time, click "here" to login again".

    Scott
  • Duncs
    Duncs Member Posts: 507 Bronze Badge
    Got your suggestion working now using a redirect and a call to the logout URL.

    Thanks for the suggestion.

    Regards

    Duncan
  • PktAces
    PktAces Member Posts: 300
    edited Jun 16, 2009 12:20PM
    Where can I find more info on session timeouts? I'm interested in particular in timing out a session that's been idle for a certain amount of time and logging them out totally.


    Nevermind, I realized how stupid that question was after I submitted it. Where's the "Retract Dumb Question" button in the forums?? :)

    Edited by: PktAces on Jun 16, 2009 12:19 PM
  • PktAces
    PktAces Member Posts: 300
    I do have a question about this now though. I tried implementing as outlined in the link at the top but I'm getting an error on the timeout page with a stop sign. It says

    Access denied by Application security check

    When I click OK hyper link it takes me to the application dev page. Does this work if your using an access control page and the application authorization scheme is set to "access control - view"?
  • 60437
    60437 Member Posts: 16,564
    I'd have to see this scenario recreated on apex.oracle.com to give specific answers. Could be a quirk that comes into play only when you are sharing a session between the dev and runtime environments.

    Scott
  • PktAces
    PktAces Member Posts: 300
    I'll try to export and import my app into apex.oracle.com and get you access to it. Thanks.
  • PktAces
    PktAces Member Posts: 300
    Hi Scott,

    I finally got the app transferred.

    http://apex.oracle.com/pls/otn/f?p=31127:1

    tstadmin:tstadmin is an account you can use. The timeout just doesn't seem to work correctly. It does timeout, but it goes to the login screen instead of the timeout page, then when you login the timeout screen comes up.

    I'll send the workspace login info to you if you have an email address I can use.

    Thanks,
    Ben
  • 60437
    60437 Member Posts: 16,564
    Ben,

    Your timeout pages need to be public, otherwise the user would be required to authenticate since there will be a new session when they are requested.

    Scott
This discussion has been closed.