Skip to Main Content
  • Questions

  • Is it possible to run Oracle Apex without cookies ?

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question.

Asked: March 17, 2021 - 3:09 pm UTC

Last updated: March 31, 2021 - 4:27 am UTC

Version: 19.2

Viewed 1000+ times

You Asked

Hi team,

I have an oracle apex 19.2 application.

My app is supposed to be integrated on my clients web sites as an iframe. This is something which works very badly since Safari doesn't accept third party cookies (cookies of my app are considered third pary cookies). Chrome will end accepting third party cookies as of next year as well. So my app keeps showing the error : your session has expired.

My app pages are public and don't require any authentication scheme.

I was wondering if it's possible to make an apex app that doesn't require any authentication work without Cookies.

Thanks. cheers,

and Connor said...

Starting from APEX 20.1, we have improved this issue with the SameSite cookie attribute (See MOS 2652326.1)

Before that, a workaround that people have been using is:

Go to : Application > Shared Components > Authentication Schemes > Create / Edit

- Change Type to 'Custom'
- If you have ORDS setup to have (say) "/apex" in the URL, set the Cookie Path to '/apex; SameSite=none'
- Set 'Secure' on

You may also need Shared Components / Security / "Embed in Frames" enabled., but I assume you've already got that done

Hope this helps.

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Youn, March 27, 2021 - 4:13 am UTC

Thanks for your answer but I don't understand how this solution can work. Whatever you try in the cookies configuration, Safari will always block them when they are in an iframe. When they are in a iFrame, it considers them as third-party cookies. Hence blocked. Here are the steps to reproduce the issue :

1 - Use any cookies configuration you want
2 - Insert an Apex App in an iFrame
3 - Open it in Safari or Chrome Incognito Mode
4 - You will notice the cookies are not created
5 - Try to submit a page of the apex app inside the iframe, you will get the error : Your session has expired.

Here is an article explaining how Apple blocks all cross sites cookies : https://www.theverge.com/2020/3/24/21192830/apple-safari-intelligent-tracking-privacy-full-third-party-cookie-blocking

I don't understand how you could make it work since it's not (only) about cookies configuration (same site for instance), it's about the default browser settings.

thanks
Connor McDonald
March 31, 2021 - 4:27 am UTC

Try no cookie mode.

Modify the application's Authentication Scheme, set the Session Sharing type to Custom, and provide a cookie name of "-NO_COOKIE-" .

Chuck Jolley, March 27, 2021 - 3:32 pm UTC

We have a page something like this case.
It's an ASP iframe that does database queries inside our 3ed party web host's pages.
We provide a link to open the iframe contents in a new tab if the user has problems. It's pretty sparse decoration wise, but at least it works.

APEX iFrame on Apple devices

Jan-Peter Meyer, March 23, 2025 - 9:45 am UTC

Hi Connor,
has there been any new development regarding this issue?
We recently ran in to the same problem with an iFrame containing an APEX 24.1 APP page where we keep getting "Your session has ended" on all Apple devices (and also in a Chrome incognito Window).
We have tried all the mentioned potential fixes ... the -NO_COOKIE_ approach actually sends the page into an endless refresh loop.

Thanx for any input,
Jan-Peter
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

APEX

Keep your APEX skills fresh by attending their regular Office Hours sessions.