We're re-building a webservice that previously had it's own authentication and security model baked in. Instead of having the webservice handle this we're looking at switching to using Authenticated Sites license with a monthly login limit to let Salesforce handle that for us.
I'm digging through the salesforce license documentation and while I can find a very precise definition for what constitutes a page view in sites, I can't find any definition for what constitutes a login. The webservice is going to be consumed by external websites outside our control, so we're a little concerned that if they don't manage sessions well a single transaction could consume a large number of logins (i.e. if they stored the username/password and did a login call for each transaction).
Does anyone have details on how exactly this is determined?
If a session expires and we have to login again, does that count as a new login?
Is there a way to generate a longer duration access token (i.e. oauth) with Authenticate Sites licenses?
Best Answer
The quick answer: if it appears in the User Logins admin report in Salesforce, it's counted.
The longer answer: yes if someone explicitly signs in multiple times during a session, even when they were already logged in, it is counted. So yes you will need to be diligent about this. If it's a web service, what I would do is make it a term of service that they can't do more than X logins per day, and/or they can't do multiple sign-ins within Y minutes of each other. Write a periodic batch job that looks at user logins and de-activates accounts (sends emails too) to users who violate this.
As for your last question, what's going to be the usage model for Sites? How are your web services produced (e.g. Apex WS? Apex REST? etc) and how are your consumers signing in? You're going to want to avoid anything close to rolling your own access tokens and/or signin methods, since if you do that you may as well not be using the SFDC security model at all.
(Disclaimer: my data about how logins are counted is about a year old but I'd be very surprised if it's changed.)