And that’s how the cookie crumbles

by

Yesterday I was creating a “remember me” functionality in an APEX authentication scheme. Fairly simple:

  1. add a “remember me” checkbox-item on the login page
  2. create a custom login procedure that
    1. sets a cookie
    2. calls the apex_authentication.login procedure
  3. Create an auto-login procedure “before headers” that reads the cookie and if everything ok logs in the user.

In essence:

procedure do_login(p_username        varchar2 default null
                  ,p_password        varchar2 default null
                  ,p_remember_me     varchar2 default null
                  ,p_post_login_page number default null)
  l_auth     boolean := false;
begin
    
  l_auth := authenticate(p_username => l_username, p_password => p_password);
  
  if p_remember_me = 'Y'
  then
    --write the cookie
    output_cookie(p_username => l_username);
  else
    --empty out the cookie
    remove_cookie;
    
  end if;
  
  if l_auth
  then
    -- set the post login page
    apex_util.set_session_state(p_name  => 'FSP_AFTER_LOGIN_URL'
                               ,p_value => 'f?p=' || v('APP_ID') || ':' || p_post_login_page || ':' || v('APP_SESSION') || '::' || v('DEBUG'));
    -- Actually log-in
    apex_authentication.login(p_username => l_username, p_password => p_password);
    
  else
    raise_application_error(-20001,'Invalid username and password.');
    
  end if;
end do_login;

output_cookie writes the cookie using:

owa_cookie.send('name', 'value');

Fairly simple code is it not?

But whatever I tried: removing logging-lines, setting html-headers etc., etc. my cookie was not written:

In the end it was a simple thing. Since APEX 5.1 the page does not “SUBMIT” by default, but instead does this “Only for succes”.

Here the browser will do kind of an AJAX call, interprets the result from validations and the “on submit” processes and will act accordingly.

My owa_cookie.send however will send these cookies using http result headers and the javascript engine responsible for doing the AJAX call of course will not interpret those and therefore the browser will not receive the cookies.

It is therefore essential that when writing cookies you always use the “Always” setting at page level, as displayed in the image above.

Regards,
Richard