|
With the exception of the database username, session ID, and timestamps, most session-level values can be easily manipulated by the user and are not reliable for security protections or audit trails.
Using sample code provided by Oracle, any skilled Oracle database administrator or developer should be able to create a simple Java program that sets all session values to arbitrary values with the exception of the database username, session ID, IP address, and timestamps. The lack of reliability of the database session information must carefully considered when designing security protections |
Spoofing Oracle session information
New Update