APEX session保持登陆状态

During session setup, at the beginning of Apex' request processing, it approximately runs this code:

1. Write session id from the request (URL or POST parameter) into a global variable
2. Load application authentication metadata (cookie name, sentry function, invalid session function, etc.)

3. If a session global exists, run "Builtin Cookie Sentry":
3.1. Query the session table by the cookie value.
3.2. If the query's session id equals the global session id, the session information matches.
3.3. Otherwise, the session information is incomplete, reset session variable.

4. If this is not the login page, run application-specific sentries:
4.1. Run session sentry function's result if a function is defined
4.2. If the sentry function returned true, run the validation function if it is defined

5. "Create / Reuse Session"
5.1. If the session variable points to a valid session record, read user and other variables from the session record
5.2. Otherwise, create a new, unauthenticated session

6. Write a new HTTP session cookie if a new session was created

7. If the sentries (4.) returned false, run "Invalid Session Handling":
7.1. Save deep link to current page
7.2. Run invalid session function if a function is defined
7.3. Redirect to authentication's "Session Not Valid" url

This is only an overview and implementation details may change. However, I think it can show the main problems with using the invalid session function for session joining:

- In (4.1), the engine creates a new session record and session id
- In (6), the engine writes a session cookie
- The invalid session function changes the global session id variable back to the old session, but there is still a newly created session
- The invalid session function re-inits the htp buffer and thereby undoes (6) from above. The session joining would create a new session for each request, otherwise.

My proposal is that you use a session sentry function instead. Here's an example:

function session_joining_sentry return boolean is
  l_cookie_session_id number;
  l_user              APEX_WORKSPACE_SESSIONS.USER_NAME%TYPE;
  l_result            boolean;
  procedure dbg(p_str in varchar2)
  is
  begin
    apex_application.debug('session_joining_sentry: '||p_str);
  end dbg;
begin
  if APEX_CUSTOM_AUTH.GET_SESSION_ID is not null then
    dbg('apex could already determine session by URL session id and cookie value');
    l_result := true;
  else
    dbg('apex could not determine session by URL session id and cookie value');
    l_cookie_session_id := APEX_CUSTOM_AUTH.GET_SESSION_ID_FROM_COOKIE;
 
    if l_cookie_session_id is not null then
      dbg('apex found session via cookie. we try to re-use this as our current session id');
      begin
        select user_name
          into l_user
          from APEX_WORKSPACE_SESSIONS
         where apex_session_id = l_cookie_session_id;
        l_result := true;
      exception when NO_DATA_FOUND then
        dbg('session could not be found in session table - sentry fails');
        l_result := false;
      end;
 
      if l_result then
        dbg('re-using session for user '||l_user);
        APEX_CUSTOM_AUTH.DEFINE_USER_SESSION (
          p_user       => l_user,
          p_session_id => l_cookie_session_id);
      end if;
    else
      dbg('apex could not find the session cookie. sentry fails');
      l_result := false;
    end if;
  end if;

  return l_result;
end session_joining_sentry;

总结,创建函数session_joining_sentry,在Shared Components->Authentication Schemes 中的选择当前使用,在Session Not Valid上写上该函数名。

转载自:https://cn.forums.oracle.com/forums/thread.jspa?messageID=10218874






你可能感兴趣的:(session)