Wednesday, January 18, 2006

Username and Password on Every Page

Well, not really, as that would be bad. However, I’ve often wondered how to include a field for the username and password on every public page, making the sign on process one less click. Well, there’s nothing like learning how to do something like having a customer requirement!

A current client wants a largely public site – that is, you do not need to authenticate to see most of it. Simple enough – just set the Page Attributes Security to Page is Public. However, the client also wanted the username and password field to appear on each and every public page.

From a developer point of view, I didn’t want to have to put any items on any page aside from Page Zero. Thus, every time that I add a page to the application, the login region would simply show up. This required a bit more thought.

Here’s what I came up with: I created a region on Page Zero which holds my username and password fields, as well as a Login button. The button is not an item button, but rather a true button which submits the page when clicked. I also set this region to only display when the user was unauthenticated.

In order to accommodate authenticated users, I also created an HTML region on Page Zero which only renders when the user is authenticated. This region simply displays a welcome message to the user.

Next, I created 2 application level processes to handle the actual authentication process. These two processes are copies of the Set Username Cookie & Login processes which are typically found on Page 101 of your HTML DB Application. These processes are set to run only when the REQUEST = P0_LOGIN, which is the name of my button on Page Zero.

Thus, when you enter a valid username and password and click the Login button on any public page in my application, you are authenticated and returned to the page from which you came. All without any code or items on any page aside from Page Zero!

Steps to Implement
  1. Create Page 0

  2. Create an HTML Region on Page 0 called Login

  3. Set condition of that region to User is the Public User (user has not authenticated)

  4. In that region, create two items:
    P0_USERNAME
    - Text
    P0_PASSWORD - Password

  5. Create an HTML Region on Page 0 called Welcome

  6. In the source of that region, enter a simple welcome message, such as Welcome, &APP_USER.

  7. Set condition of that region to User is Authenticated (user has not authenticated)

  8. Create a Button named P0_LOGIN on Page 0 in the Login region
    - Select Create Button in a Region Position when prompted
    - Leave Branch to Page blank

  9. Create an Application Level Process:
    Sequence
    : 1
    Process Point
    : On Submit: After Page Submission – After Computations and Values
    Name
    : Set Cookie
    Type
    : PL/SQL Procedure
    Process Text
    :
    begin

    owa_util.mime_header('text/html', FALSE);

    owa_cookie.send(

    name => 'LOGIN_USERNAME_COOKIE',

    value => lower(:P0_USERNAME));

    exception
    when others then null;

    end;

    Process Error Message
    : An Error Has Occured
    Condition Type
    : Request = Expression 1
    Expression 1
    : P0_LOGIN

  10. Create an Application Level Process:
    Sequence
    : 2
    Process Point
    : On Submit: After Page Submission – After Computations and Values
    Name
    : Login
    Type
    : PL/SQL Procedure
    Process Text
    :
    begin

    wwv_flow_custom_auth_std.login(

    P_UNAME => :P0_USERNAME,

    P_PASSWORD => :P0_PASSWORD,

    P_SESSION_ID => v('APP_SESSION'),

    P_FLOW_PAGE => :APP_ID||':&APP_PAGE_ID.'
    );
    :P0_USERNAME := null;

    :P0_PASSWORD := null;

    end;


    Process Error Message
    : An Error Has Occured
    Condition Type
    : Request = Expression 1
    Expression 1
    : P0_LOGIN

  11. Edit your current Authentication Scheme, and set the Logout URL to redirect to a public page, not page 101.

  12. Set the Security - Authentication to at least one page in your application to Page is Public.

You should now be able to sign on from any public page in your applicaion.

9 comments:

Jochen said...

Hmm, interesting to read. I have to keep this tip in mind, just in case of.. You should post more blog entries like this :)

Scott said...

You should post more blog entries like this :)

Thanks for the feedback - I try my best to keep the content here useful, but as everyone knows, time is a scarce commodity these days!

Thanks,

- Scott -

Bill Dwight said...

Excellent entry Scott - very helpful. Thank you!

Glenm said...

If you still had a 'real' logon page, should it be modified to use the page0 fields and application processes in order to prevent code duplication and ease maintenance down the line?

Scott said...

If you still had a 'real' logon page, should it be modified to use the page0 fields and application processes in order to prevent code duplication and ease maintenance down the line?

You could conceivably remove page 101 entirely, and then just use page 1 as a "login" page. If there was a field for username & password on all public pages, there simply woulnd't be a need for a dedicated login page.

Thanks,

- Scott -

Doug Gault said...

Very interesting... I've done this before using other languages (Oracle, PSP's is one of them) but its cool to know that it's actually pretty easy with HTML-DB.

Thanks!

Anonymous said...

Hi Scott,

This is quite an approach...
However, I have a rather more challeging issue...
A client of mine just has an XE database and that's basicly it. now there is a business need to integrate all 4 (custom build)of the apex-applications into 1 sign on session. (log in once, and use all the applications).
any suggestions...

Scott said...

A client of mine just has an XE database and that's basicly it. now there is a business need to integrate all 4 (custom build)of the apex-applications into 1 sign on session. (log in once, and use all the applications).
any suggestions...


If all of the applications are in the same schema (workspace), then you should be able to share a cookie among them; thus, signing on to one should authenticate you to all.

Thanks,

- Scott -

J-P said...
This comment has been removed by the author.