This content has been marked as final. Show 3 replies
i think the question should be "How will i authenticate myself against Apex" or "How can i trust the user who is requesting access to the application".
The szenario you just described would only work if:
- The user/session has already been authenticated
- The deep link from mail/bookmark etc. contains the registered session id
- You don't have security features like checksum activated
In all other cases (and maybe some i didn't mention above), the user has to be authenticated. The goal is therefore to choose an authentication szenario that allows something like a Single-Sign-On to your application. But there are many ways to do this, secure and unsecure ones. You have to decide what's the best for your environment.
this is basically a security consideration the Oracle Apex Team did in the early days of Apex/HTMLDB, i suppose. No need to further discuss about or to search for workarounds.
Maybe these two links can give you some more background information.
Personally, i'm happy with the security concept of Apex. Using a prebuilt or customized authentication scheme provided each a time a solution for every thinkable szenario i had in the past.