Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: package session vars/ logins

Re: package session vars/ logins

From: Vladimir M. Zakharychev <>
Date: Mon, 15 Oct 2007 05:36:31 -0700
Message-ID: <>

On Oct 15, 7:01 am, Jake <> wrote:
> Would it be a realistic usage of package vars to hold, for example, a
> userid of a current logged in user?
> Say, for example, if I had a table of usernames, passwords, and
> userids. I could have the person using the application log in and
> check their user name and password in a table (basically handling the
> login myself). From that point they can access that user's data.
> Once the session ends their access to data ends too.
> This is how I would do it in PHP/MySql (w/ PHP session vars) or
> VB .NET/Sql Server. Not sure if the example translates though, or
> would you want a separate Oracle username for each person?
> Also, what are some other realistic uses of package vars? thanks.

If the session is persistent (that is, the session is not shared between different users,) then yes, you can do it that way; though I would rather use a user-defined session context for this (research CREATE CONTEXT in the docs.) One good reason for using contexts is that sys_context() in a query is treated as a bind variable by the CBO (mostly for efficient FGAC policy implementations, but applies equally well wherever you use dynamic SQL.) Another good reason is that contexts are more secure: only single authorized package or procedure in the database may add or alter values in certain context (for example, the package where you handle user login - check credentials, determine access rights, etc.,) while packaged variables can be altered by the user anytime (don't expect that users will always use only your front-end to connect to the database, plan for the smartest of them. :))


   Vladimir M. Zakharychev
   N-Networks, makers of Dynamic PSP(tm) Received on Mon Oct 15 2007 - 07:36:31 CDT

Original text of this message