Session state protection
Earlier in this book we looked at how buttons and branches can populate page items and application items via the APEX URL. We often use this technique to pass unique identifiers or other items in the URL to customize the page we are calling. An example of this is when we have a search page that calls an update page; we want the update page to display the record selected in the search page. As these items are passed in the URL, it could be possible for a user to tamper with the URL and add, remove, or modify items and their values.
To demonstrate URL tampering, let's assume we have an edit employee screen that accepts an employee number parameter to determine which employee record to edit. The following URL will display employee number 222:
http://myserver:8080/apex/f?p=101:10:12345::::EMPNO:222
Let's now modify the employee number parameter in the URL to display employee number 999:
http://myserver:8080/apex/f?p=101:10:12345::::EMPNO:999
As we can see, we have...
