Skip to Main Content
  • Questions
  • Is it possible to run Oracle Apex without cookies ?

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question.

Asked: March 17, 2021 - 3:09 pm UTC

Last updated: March 31, 2021 - 4:27 am UTC

Version: 19.2

Viewed 100+ times

You Asked

Hi team,

I have an oracle apex 19.2 application.

My app is supposed to be integrated on my clients web sites as an iframe. This is something which works very badly since Safari doesn't accept third party cookies (cookies of my app are considered third pary cookies). Chrome will end accepting third party cookies as of next year as well. So my app keeps showing the error : your session has expired.

My app pages are public and don't require any authentication scheme.

I was wondering if it's possible to make an apex app that doesn't require any authentication work without Cookies.

Thanks. cheers,

and we said...

Starting from APEX 20.1, we have improved this issue with the SameSite cookie attribute (See MOS 2652326.1)

Before that, a workaround that people have been using is:

Go to : Application > Shared Components > Authentication Schemes > Create / Edit

- Change Type to 'Custom'
- If you have ORDS setup to have (say) "/apex" in the URL, set the Cookie Path to '/apex; SameSite=none'
- Set 'Secure' on

You may also need Shared Components / Security / "Embed in Frames" enabled., but I assume you've already got that done

Hope this helps.

Rating

  (2 ratings)

Comments

Youn, March 27, 2021 - 4:13 am UTC

Thanks for your answer but I don't understand how this solution can work. Whatever you try in the cookies configuration, Safari will always block them when they are in an iframe. When they are in a iFrame, it considers them as third-party cookies. Hence blocked. Here are the steps to reproduce the issue :

1 - Use any cookies configuration you want
2 - Insert an Apex App in an iFrame
3 - Open it in Safari or Chrome Incognito Mode
4 - You will notice the cookies are not created
5 - Try to submit a page of the apex app inside the iframe, you will get the error : Your session has expired.

Here is an article explaining how Apple blocks all cross sites cookies : https://www.theverge.com/2020/3/24/21192830/apple-safari-intelligent-tracking-privacy-full-third-party-cookie-blocking

I don't understand how you could make it work since it's not (only) about cookies configuration (same site for instance), it's about the default browser settings.

thanks
Connor McDonald
March 31, 2021 - 4:27 am UTC

Try no cookie mode.

Modify the application's Authentication Scheme, set the Session Sharing type to Custom, and provide a cookie name of "-NO_COOKIE-" .

Chuck Jolley, March 27, 2021 - 3:32 pm UTC

We have a page something like this case.
It's an ASP iframe that does database queries inside our 3ed party web host's pages.
We provide a link to open the iframe contents in a new tab if the user has problems. It's pretty sparse decoration wise, but at least it works.

More to Explore

APEX

Keep your APEX skills fresh by attending their regular Office Hours sessions.