Try the steps as listed in MOS Note 246696.1:

Custom Logout Procedure for PL/SQL Gateway

PURPOSE
-------

To provide deauthentication options with the PL/SQL Gateway (mod_plsql), which
is provided with all versions of Oracle9i Application Server (9iAS) and
OracleAS 10g.


SCOPE & APPLICATION
-------------------

This is for Website and Database Administrators desiring to control mod_plsql
sessions. This is only for use with Basic Athentication. Basic Authentication
is used if the Username and/or Password are not configured within a DAD.

This has been tested on the following:

- Oracle9i Application Server (9iAS) Release 1 (1.0.2.2)
- Oracle9i Application Server (9iAS) Release 2 (9.0.2)
- Oracle Application Server 10g Release 1 (9.0.4)
- Oracle Application Server 10g Release 2(10.1.2)

This should work with any other implementation of mod_plsql and use
of Basic Authentication. This includes the Oracle HTTP Server delivered
with the Database product.

If using the newer Single Sign-On (SSO) features, this will not apply. If
using "Custom Authentication" or "Per Package Authentication", this will
not apply. Only when "Basic Authentication" selected within the DAD configuration.

Sample is given as-is, and does exactly as stated. Custom code can be worked
around it, and may or may not have further restrictions, depending on the
application built around it. Suggestions given for custom usage are only
suggestions. If needing further help implementing, Oracle Consulting should be
engaged.


Custom Logout Procedure for PL/SQL Gateway
------------------------------------------

mod_plsql allows users to log off (clear HTTP authentication information)
programmatically through a PL/SQL procedure without having to exit all browser
instances. This feature is supported on Netscape 3.0 or higher and on Microsoft
Internet Explorer. On other browsers, the user may have to exit the browser to
deauthenticate. This method of deauthentication is to add "/logmeoff" after the
DAD in the URL. For example:

http://servername:port/pls/myDAD/logmeoff

The only caveat is that the page rendered is plain text confirming the
deauthentication. It will lack any user interface for your application.
This will also only work if the Authentication Mode is set to "Basic",
which has been the most common form of authentication with mod_plsql. In
order to customize this log off, you should create your own procedure to
deauthenticate. Below is a sample:

--------------------------------

CREATE OR REPLACE PROCEDURE logout as

BEGIN

owa_util.mime_header('text/html',FALSE);

-- Send a cookie to logout
owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
owa_util.http_header_close;

htp.p('You have been logged off of the WEBSITE');
htp.anchor( ' http://www.oracle.com', 'click here');
htp.p('bye');
END;

----------------------

To test the deauthentication, you would directly call this procedure, and then
call another procedure to ensure you are prompted for credentials again. This
can be implemented in an application by providing a hyperlink to this procedure
for users to "logoff", and direct users to desired functionality.

To take it step further, one may want the functionality to automatically
deauthenticate over a period of time. A "timeout feature". There are many
ways to do this with different considerations. One example is to insert a
META Tag in each procedure, which refreshes to the logout procedure in the
specified time period.

Include the following in each of your pages, within the <HEAD> of the HTML:

htp.p('<META HTTP-EQUIV=Refresh CONTENT="900; URL=./logout">');

This tells the page to execute the "logout" procedure after 900 seconds of
inactivity. If a user is idle for 15 minutes, (on the same page) they are
automatically sent to the logout page. This can be abrupt, if the time is
too short and/or users are still using that page, (perhaps slowly filling
out a Form).

This functionality can be customized within your application. (see below).
The key is to control the deauthentication within the client browser side.
The "session" is on the client side, not a session in the database.

When "Custom Authentication" is used, (as opposed the "Basic Authentication"),
within a PL/SQL application, authentication is controlled by application
code within the database. These examples may help develop a custom
de-authentication method, as well. Basically, integrating the custom
authentication into HTTP/browser mechanisms to control a client session.

Note: This deauthentication has no control over sessions or processes within
the database. The session being controlled here is between OHS/mod_plsql and
the client browser by expiring a previously set cookie. There is no need to
control the database sessions during this, as this is controlled by mod_plsql,
unrelated to the actual user logging on. More explanation of mod_plsql and
database sessions/processes used is in the mod_plsql User's Guide, linked below.


Examples to Customize a De-Authentication Method:
-------------------------------------------------

(Only examples are given as Oracle Support does not support the
code/implementation of such custom de-authentication)

1. This can be implemented within a frame site, and have one frame control the
session, (with the MetaTag, above), and direct to a login page at a specified
time period. While the user may be working in the other frame, they will not
lose their page or Form data while the other frame redirects. Your mini-frame
can display a "login" button, which calls the original protected mini-frame
page with the MetaTag refresh, and the user can just continue their work
in the larger frame. Designed cleanly, this is an excellent quick-n-easy
solution.

2. A JavaScript program with a popup can also be used to execute the actual
timeout. A user can be prompted, (with timed buffer), to continue their
session, (restarting the timer). After the 30 second buffer, the logout
procedure is called, and the user is logged out. The user should have a choice
to continue the session, or immediately logout. The JavaScript code for
this functionality is beyond the scope of Oracle Support.

3. Another way is through the use of your own cookies. A cookie can be set upon
logon, and be set to expire (timeout) in a certain amount of time. For each
request made by the user, the cookie is checked. If not expired, the request is
granted. If the cookie expired (or not set), a login page will be prompted. If
built into the custom login code, the original request can be remembered, and
send the user back to the page they requested. Overall, this is considered
the best solution. The custom code for this functionality is beyond the
scope of Oracle Support.

Example #3 is what Oracle Single Sign-On implements, and is provided with 9iAS
Release 2 (9.0.2+) and OracleAS 10g (9.0.4+). It has a configurable "Inactivity
Timeout". It is used if your PL/SQL DAD is configured to be protected by SSO.
The PL/SQL DAD should have the username/password configured in the DAD, and the
actual user's login managed by Oracle Internet Directory (OID) through
Single Sign-On (SSO).

Note 269688.1 How to Obtain the SSO Username for a PL/SQL Application
Note 273379.1 How to Protect mod_plsql DAD with SSO