>>So you are telling me the two options of when to set my 'message', etc items?
You can do this whenever and wherever you like, I only gave two options that seem to fit what you were describing. There are other options too - for example, a page process that sets a specific page item.
>>If that is so, does that mean that I shoudl totally forgo my own authentication function, use the standard 'wwv_flow_custom_auth_std.login' in conjunction with my newly creaed authentication theme and then in my 'After Authentication' I can set my parameters?
That is not what I meant at all. You create your own authentication function, and that is what you call in the Authentication Scheme (as I described above). The wwv_... call is just to register within APEX and to obtain a new, valid Session ID, but you are still responsible for the actual authentication against the user tables.
1) You don't necessarily need to run a stored procedure. You can write PL/SQL code in the post-authentication process.
2) That could be because you are not validating correctly. Create a new, basic authentication scheme that does nothing but validate a user/password combo. Change your authentication scheme to this new one, then see if you can log in correctly.
For example, here's one simple authentication scheme I have on a local app:
Name - the name of the authentication scheme
Subscription - none
Page Session Management - all fields blank except Session Not Valid URL (f?p=<APP_ID>:101:&SESSION.)
Login Processing - all fields blank except Authentication Function (return p_m_security.authenticate_user; )
Cookie Attributes - you can set a cookie name or leave everything blank
Logout URL - wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=&APP_ID.:1
Notice that I use page 101 as my default page for when the session is not valid. Page 101 is the login page, so on that page I use the following process:
wwv_flow_custom_auth_std.login(
P_UNAME => :P101_USERNAME,
P_PASSWORD => :P101_PASSWORD,
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':1'
);
which is called once, after Submit.
Then the authentication function ( return p_m_security.authenticate_user; ) can be reduced down to "return true;" or actual validation code. If you can get this entire process to work, then you can start adding more complexity to your scheme.