Database: Oracle 8i 8.1.7
Application: Developed through IDS ( Forms & Report 6i, Query & PRO C)
The users logs on to the database through the above application. After logging on to the system the Application assigns them insert & update grants for the tables which otherwise the users doesn't have. When the users comes out of the application these grants are revoked.
But if a user opens another connection through 'sqlplus' during the connected period through my application, he gets to enjoy the rights to update/insert in tables through the 'sqlplus'. This way he is able to manipulate the data using another session.
Your application should not be granting and revoking privileges like that.
Instead, PERMANENTLY grant the required privileges to a ROLE that has a password (which the user will not know). The application can than use SET ROLE to enable the role.