Skip to main content

Username and Password on Every Page

Well, not really, as that would be bad. However, I’ve often wondered how to include a field for the username and password on every public page, making the sign on process one less click. Well, there’s nothing like learning how to do something like having a customer requirement!

A current client wants a largely public site – that is, you do not need to authenticate to see most of it. Simple enough – just set the Page Attributes Security to Page is Public. However, the client also wanted the username and password field to appear on each and every public page.

From a developer point of view, I didn’t want to have to put any items on any page aside from Page Zero. Thus, every time that I add a page to the application, the login region would simply show up. This required a bit more thought.

Here’s what I came up with: I created a region on Page Zero which holds my username and password fields, as well as a Login button. The button is not an item button, but rather a true button which submits the page when clicked. I also set this region to only display when the user was unauthenticated.

In order to accommodate authenticated users, I also created an HTML region on Page Zero which only renders when the user is authenticated. This region simply displays a welcome message to the user.

Next, I created 2 application level processes to handle the actual authentication process. These two processes are copies of the Set Username Cookie & Login processes which are typically found on Page 101 of your HTML DB Application. These processes are set to run only when the REQUEST = P0_LOGIN, which is the name of my button on Page Zero.

Thus, when you enter a valid username and password and click the Login button on any public page in my application, you are authenticated and returned to the page from which you came. All without any code or items on any page aside from Page Zero!

Steps to Implement
  1. Create Page 0

  2. Create an HTML Region on Page 0 called Login

  3. Set condition of that region to User is the Public User (user has not authenticated)

  4. In that region, create two items:
    P0_USERNAME
    - Text
    P0_PASSWORD - Password

  5. Create an HTML Region on Page 0 called Welcome

  6. In the source of that region, enter a simple welcome message, such as Welcome, &APP_USER.

  7. Set condition of that region to User is Authenticated (user has not authenticated)

  8. Create a Button named P0_LOGIN on Page 0 in the Login region
    - Select Create Button in a Region Position when prompted
    - Leave Branch to Page blank

  9. Create an Application Level Process:
    Sequence
    : 1
    Process Point
    : On Submit: After Page Submission – After Computations and Values
    Name
    : Set Cookie
    Type
    : PL/SQL Procedure
    Process Text
    :
    begin

    owa_util.mime_header('text/html', FALSE);

    owa_cookie.send(

    name => 'LOGIN_USERNAME_COOKIE',

    value => lower(:P0_USERNAME));

    exception
    when others then null;

    end;

    Process Error Message
    : An Error Has Occured
    Condition Type
    : Request = Expression 1
    Expression 1
    : P0_LOGIN

  10. Create an Application Level Process:
    Sequence
    : 2
    Process Point
    : On Submit: After Page Submission – After Computations and Values
    Name
    : Login
    Type
    : PL/SQL Procedure
    Process Text
    :
    begin

    wwv_flow_custom_auth_std.login(

    P_UNAME => :P0_USERNAME,

    P_PASSWORD => :P0_PASSWORD,

    P_SESSION_ID => v('APP_SESSION'),

    P_FLOW_PAGE => :APP_ID||':&APP_PAGE_ID.'
    );
    :P0_USERNAME := null;

    :P0_PASSWORD := null;

    end;


    Process Error Message
    : An Error Has Occured
    Condition Type
    : Request = Expression 1
    Expression 1
    : P0_LOGIN

  11. Edit your current Authentication Scheme, and set the Logout URL to redirect to a public page, not page 101.

  12. Set the Security - Authentication to at least one page in your application to Page is Public.

You should now be able to sign on from any public page in your applicaion.

Comments

Anonymous said…
Hmm, interesting to read. I have to keep this tip in mind, just in case of.. You should post more blog entries like this :)
Scott said…
You should post more blog entries like this :)

Thanks for the feedback - I try my best to keep the content here useful, but as everyone knows, time is a scarce commodity these days!

Thanks,

- Scott -
Bill Dwight said…
Excellent entry Scott - very helpful. Thank you!
Anonymous said…
If you still had a 'real' logon page, should it be modified to use the page0 fields and application processes in order to prevent code duplication and ease maintenance down the line?
Scott said…
If you still had a 'real' logon page, should it be modified to use the page0 fields and application processes in order to prevent code duplication and ease maintenance down the line?

You could conceivably remove page 101 entirely, and then just use page 1 as a "login" page. If there was a field for username & password on all public pages, there simply woulnd't be a need for a dedicated login page.

Thanks,

- Scott -
Anonymous said…
Very interesting... I've done this before using other languages (Oracle, PSP's is one of them) but its cool to know that it's actually pretty easy with HTML-DB.

Thanks!
Anonymous said…
Hi Scott,

This is quite an approach...
However, I have a rather more challeging issue...
A client of mine just has an XE database and that's basicly it. now there is a business need to integrate all 4 (custom build)of the apex-applications into 1 sign on session. (log in once, and use all the applications).
any suggestions...
Scott said…
A client of mine just has an XE database and that's basicly it. now there is a business need to integrate all 4 (custom build)of the apex-applications into 1 sign on session. (log in once, and use all the applications).
any suggestions...


If all of the applications are in the same schema (workspace), then you should be able to share a cookie among them; thus, signing on to one should authenticate you to all.

Thanks,

- Scott -
Unknown said…
This comment has been removed by the author.

Popular posts from this blog

Custom Export to CSV

It's been a while since I've updated my blog. I've been quite busy lately, and just have not had the time that I used to. We're expecting our 1st child in just a few short weeks now, so most of my free time has been spent learning Lamaze breathing, making the weekly run to Babies R Us, and relocating my office from the larger room upstairs to the smaller one downstairs - which I do happen to like MUCH more than I had anticipated. I have everything I need within a short walk - a bathroom, beer fridge, and 52" HD TV. I only need to go upstairs to eat and sleep now, but alas, this will all change soon... Recently, I was asked if you could change the way Export to CSV in ApEx works. The short answer is, of course, no. But it's not too difficult to "roll your own" CSV export procedure. Why would you want to do this? Well, the customer's requirement was to manipulate some data when the Export link was clicked, and then export it to CSV in a forma

Refreshing PL/SQL Regions in APEX

If you've been using APEX long enough, you've probably used a PL/SQL Region to render some sort of HTML that the APEX built-in components simply can't handle. Perhaps a complex chart or region that has a lot of custom content and/or layout. While best practices may be to use an APEX component, or if not, build a plugin, we all know that sometimes reality doesn't give us that kind of time or flexibility. While the PL/SQL Region is quite powerful, it still lacks a key feature: the ability to be refreshed by a Dynamic Action. This is true even in APEX 5. Fortunately, there's a simple workaround that only requires a small change to your code: change your procedure to a function and call it from a Classic Report region. In changing your procedure to a function, you'll likely only need to make one type of change: converting and htp.prn calls to instead populate and return a variable at the end of the function. Most, if not all of the rest of the code can rem

Logging APEX Report Downloads

A customer recently asked how APEX could track who clicked “download” from an Interactive Grid.  After some quick searching of the logs, I realized that APEX simply does not record this type of activity, aside from a simple page view type of “AJAX” entry.  This was not specific enough, and of course, led to the next question - can we prevent users from downloading data from a grid entirely? I knew that any Javascript-based solution would fall short of their security requirements, since it is trivial to reconstruct the URL pattern required to initiate a download, even if the Javascript had removed the option from the menu.  Thus, I had to consider a PL/SQL-based approach - one that could not be bypassed by a malicious end user. To solve this problem, I turned to APEX’s Initialization PL/SQL Code parameter.  Any PL/SQL code entered in this region will be executed before any other APEX-related process.  Thus, it is literally the first place that a developer can interact with an APEX p