Solving the Classic APEX Page Protection Checksum Error

The Problem

Users click a link and see “Session state protection violation” or “The checksum for this page item is invalid.” This happens when APEX detects that a URL parameter has been tampered with, but it also triggers for legitimate links that are constructed incorrectly.

Why It Happens

Session State Protection adds a cryptographic checksum to URLs that set page item values. If anyone modifies the URL parameters without recalculating the checksum, APEX rejects the request. This protects against parameter tampering attacks, but it catches developers who build URLs incorrectly too.

Solution 1: Use APEX_PAGE.GET_URL

Never build APEX URLs by string concatenation. Always use APEX_PAGE.GET_URL which automatically includes the correct checksum:

-- CORRECT: Checksum generated automatically
SELECT APEX_PAGE.GET_URL(
    p_page   => 20,
    p_items  => 'P20_ORDER_ID',
    p_values => order_id
) AS detail_link FROM orders;

-- WRONG: No checksum, will fail with SSP enabled
SELECT 'f?p=' || :APP_ID || ':20:' || :SESSION || ':::P20_ORDER_ID:' || order_id
  AS detail_link FROM orders;

Solution 2: Check SSP Settings on Items

In the Page Designer, each page item has a “Session State Protection” property. “Unrestricted” means no checksum required. “Checksum Required – Session Level” requires a valid checksum. If an item must be set via URL from external sources (like email links), set it to “Unrestricted” but validate the value server-side in a Before Header process.

Solution 3: Application-Level SSP Setting

In Shared Components, then Security, then Session State Protection, you can enable or disable SSP globally. During development, you might disable it to simplify testing. Always enable it for production deployments. Run the Session State Protection Violation report in APEX Advisor to identify items that might cause issues.

External Links

For URLs shared in emails or external systems, use APEX_PAGE.GET_URL with p_plain_url => TRUE which generates a plain URL without a session ID. The user will be prompted to log in, and SSP will validate after authentication.