[SalesForce] Different Session Ids in Different contexts

I'm dealing with quite an unusual issue here, and was wondering if anyone had figured this out.

I'm trying to implement an OAuth flow from one salesforce instance to another (any other). And one of the issues I've run into is if the other instance has the same instance url of the "origin" instance. Everyone's encountered this, when you login to the other instance, you'll be logged out of the original one.

So, to try to get around this, I'm trying to use the frontdoor.jsp (http://docs.releasenotes.salesforce.com/en-us/winter14/release-notes/security_frontdoorjsp.htm) method.

So I'm passing in the UserInfo.getSessionId() in the "state" param, and my pass-through application (hosted on heroku) is forwarding the request back through frontdoor.jsp using the session id passed through.

Now, I was getting a really hard time getting this to work, but what I ended up noticing is that for each context, I was getting different output from the "UserInfo.getSessionId()" call. Not all of them worked when passing through frontdoor.jsp. Here's a summary of the different places I tried it:

Printing Session Id out to a visualforce page:
- Didn't work when passing this value through frontdoor.jsp
Print session id in debug log from VF controller
- Same session id as #1, still didn't work for frontdoor.jsp.
Print session id in developer console:
- Different session id from the VF page, but this one worked on frontdoor.jsp.
Print session id from a trigger:
- Yet another different session id, but worked with frontdoor.jsp
Printed from "Execute Anonymous" in Eclipse
- Yet another session Id, but also worked with frontdoor.jsp.

So what I need to know is this: how do I get the "proper" session id that works with frontdoor.jsp when I'm in the context of the Visualforce controller?

Best Answer

I think the only way you can use your Session ID for frontdoor.jsp is if it was generated in the context of a first class Salesforce session: ie $Api.Session_ID on a Custom Link or Custom Button appearing on a native page layout on the *.salesforce.com domain or *.my.salesforce.com (per 'My Domain' feature), or Developer Console (tooling API), Eclipse execute anonymous (SOAP API).

As you've discovered, the Salesforce session system is both highly complex but well architected (in terms of both security and user experience). There are several different variations I've encountered:

Session ID from na1.salesforce.com,
Session ID from OAuth eg username-password flow (not sure about this, see commentary)
Session ID from c.na1.visual.force.com,
Session ID from namespace.na1.visual.force.com,
Session ID from $Api.Session_ID
Session ID from Site Guest User or other anonymous context

1) and 2) are first class citizens and can be used to log in via frontdoor.jsp, but 3) and 4) will not allow you to use the API, nor access pages on other namespaces or setup pages, nor log in. 5) gives you API access but no login. 6) Will work with the Identity URL but that's about it.

A Visualforce session cannot be promoted to a Salesforce session. They can only be converted to Visualforce sessions in other namespaces by redirecting a series of HTTP requests through /visualforce/session :(

If you really need to get your user into another org as a first-class citizen, the best-supported mechanism might be deploying a Salesforce Authentication Provider into the target org, then directing the consuming users to those single sign on URLs.

Related Solutions

[SalesForce] Getting Session ID in Lightning

So, as it turns outs there is no way of getting a valid API-capable Session Id from lightning component, here is a quote from the partner discussion forums:

Three things:

There's no $Api global variable in Lightning Components today. So, {! $Api.whatever } will always fail.

This is intentional at this time. There's no official/supported way to get an API-capable session ID in Lightning Components. Again, this is by design.

With only a little creativity and cleverness you can create a bare-bones Visualforce page with {! $Api.SessionID }, and then call getContent(thatPage) from Apex to get a page that contains an API-capable session ID, which you should be able to parse out easily enough.

From there, it's not hard to pass that session ID along to Lightning Components via an @AuraEnabled method.

But let's be clear: this is a hack, the performance will be poor, and there's good reasons to keep an API-capable session ID out of your Lightning Components code.

So, I ended-up building the not recommended hack as a workaround for this to work in Lightning.

Just create a simple Visualforce Page as:

<apex:page>
    Start_Of_Session_Id{!$Api.Session_ID}End_Of_Session_Id
</apex:page>

And then get the Session Id with the visualforce_Page.getContent() method, something like:

public static MetadataService.MetadataPort createService()
{
    MetadataService.MetadataPort service = new MetadataService.MetadataPort();
    service.SessionHeader = new MetadataService.SessionHeader_element();
    //service.SessionHeader.sessionId = UserInfo.getSessionId();
    service.SessionHeader.sessionId = Utils.getSessionIdFromVFPage(Page.SessionId);
    return service;
}

Where

global class Utils {
    global static String getSessionIdFromVFPage(PageReference visualforcePage){
        String content = visualforcePage.getContent().toString();
        Integer s = content.indexOf('Start_Of_Session_Id') + 'Start_Of_Session_Id'.length(),
                e = content.indexOf('End_Of_Session_Id');
        return content.substring(s, e);
    }
}

And then you got a valid session id to work with.

[SalesForce] Getting Session ID in Apex Class

if you want the session id from javascript then use below code snippent: -

<apex:page >
 <script type="text/javascript">
        var sfdcSessionId = '{!GETSESSIONID()}';
 </script>
</apex:page>

it is working in my DE.

Best Answer

Related Solutions

[SalesForce] Getting Session ID in Lightning

[SalesForce] Getting Session ID in Apex Class

Related Topic