Based on threads such as Calling Apex Rest custom web service from Apex code we have HTTP calls in our Apex code (contained in a managed package) back to the same org authorized like this:
HttpRequest req = new HttpRequest();
req.setHeader('Authorization', 'OAuth ' + UserInfo.getSessionId());
....
Today in a sandbox that is running Winter '15 we are always getting a 401 (Unauthorized) status back with a body of:
{
"message":"Session expired or invalid",
"errorCode":"INVALID_SESSION_ID"
}
We've had a look through the Salesforce.com Winter ’15 Release Notes and don't see any direct change in this area.
Has anyone else had a problem with this sort of code in a Winter ’15 preview org?
PS Just tested from the developer console with an SA User and the call worked. The User involved where we get the problem is the "Site Guest User" of a Force.com Site. However, this could also relate to the observation that different session IDs are returned depending on whether the call is made from inside a managed package or not – see Get a FIRST-CLASS SessionID for API Calls (looking for a clean way or alternative).
PPS Based on creating a simple test page, it looks like UserInfo.getSessionId() now returns null for a "Site Guest User" of a Force.com Site in in Winter '15 preview whereas before that it returned a valid session ID. This change in behaviour is not API versioned.
Best Answer
Salesforce backed out this across-the-board change and made it a versioned changed. API Version 31 and earlier will continue to return the session ID from UserInfo.getSessionId() when in the Sites guest user context. Your VF Page and Apex Controller must be Version 31 or earlier.
The patch hit the Winter '15 sandboxes last night (Sept 30) and will hit the only production instance (NA1) currently running Winter '15 tonight and will be included with the rest of the pod upgrades on Oct 3rd and Oct 17.
(This is not documented publicly as a Known Issue nor included in the Release Notes)