And that’s how the cookie crumbles

Published by Richard Martens on

Yesterday I was creating a “remember me” functionality in an APEX authentication scheme. Fairly simple:

  1. add a “remember me” checkbox-item on the login page
  2. create a custom login procedure that
    1. sets a cookie
    2. calls the apex_authentication.login procedure
  3. Create an auto-login procedure “before headers” that reads the cookie and if everything ok logs in the user.

In essence:

procedure do_login(p_username        varchar2 default null
                  ,p_password        varchar2 default null
                  ,p_remember_me     varchar2 default null
                  ,p_post_login_page number default null)
  l_auth     boolean := false;
  l_auth := authenticate(p_username => l_username, p_password => p_password);
  if p_remember_me = 'Y'
    --write the cookie
    output_cookie(p_username => l_username);
    --empty out the cookie
  end if;
  if l_auth
    -- set the post login page
    apex_util.set_session_state(p_name  => 'FSP_AFTER_LOGIN_URL'
                               ,p_value => 'f?p=' || v('APP_ID') || ':' || p_post_login_page || ':' || v('APP_SESSION') || '::' || v('DEBUG'));
    -- Actually log-in
    apex_authentication.login(p_username => l_username, p_password => p_password);
    raise_application_error(-20001,'Invalid username and password.');
  end if;
end do_login;

output_cookie writes the cookie using:

owa_cookie.send('name', 'value');

Fairly simple code is it not?

But whatever I tried: removing logging-lines, setting html-headers etc., etc. my cookie was not written:

In the end it was a simple thing. Since APEX 5.1 the page does not “SUBMIT” by default, but instead does this “Only for succes”.

Here the browser will do kind of an AJAX call, interprets the result from validations and the “on submit” processes and will act accordingly.

My owa_cookie.send however will send these cookies using http result headers and the javascript engine responsible for doing the AJAX call of course will not interpret those and therefore the browser will not receive the cookies.

It is therefore essential that when writing cookies you always use the “Always” setting at page level, as displayed in the image above.


Richard Martens

Richard Martens has been involved in information technology for more than 20 years. He started as a web developer using the Oracle database as no more than data storage. Richard has been responsible for major European multilingual websites and has been working with the Oracle database since 2000. During those years, he developed himself using a multitude of technologies and specialized in PL/SQL and Oracle APEX. With APEX, he combines the things he loves most: the Oracle database and web technologies.