When you use the OAuth 2.0 hybrid app token flow, you use scopes to request session IDs
(SID) and domain values. You then use these SIDs and domain values to set browser cookies and
establish sessions in your hybrid app. When you refresh your access token, you receive new SIDs
and domains to reset the browser cookies.
Required Editions
Available in: both Salesforce Classic
and Lightning Experience
Available in: All Editions
Salesforce supports cookies that let you establish sessions with these domains.
Primary Salesforce app via the web scope
Content resources via the content scope
Lightning apps via the lightning scope
Visualforce pages via the visualforce scope
The web scope is a prerequisite to use the hybrid app flow—at minimum, your
hybrid app must be able to access your primary Salesforce domain. To access content resources,
Lightning apps, and Visualforce domains, assign their associated scopes in addition to the
web scope. For example, to access Lightning domains, assign your external
client app or connected app the web and lightning
scopes.
In all scenarios, you receive the sidCookieName, cookie-sid_Client, and cookie-ClientSrc values. These values are tied to the web scope.
When you use the hybrid app refresh token flow, you receive new return values that you use to
reset the session cookies.
This table summarizes the return parameters you receive for each scope.
Scope
Return Parameters
web
sidCookieName
cookie-sid_Client
cookie-ClientSrc
content
content_sid
content_domain
lightning
lightning_sid
lightning_domain
crsf_token
visualforce
visualforce_sid
visualforce_domain
Hybrid App Flow Cookie Examples
These examples illustrate the browser cookies that are set when you use the web, content, lightning, and visualforce scopes.
When you assign the web scope to request a web session
in the Salesforce org’s primary domain, these cookies are set in the browser.
Note Because the web scope is a prerequisite for the
content, lightning, and visualforce scopes, the
cookies in this example are set every time you use the hybrid app flow.
When you assign the content scope, this cookie is
set.
Assigning the lightning scope sets this cookie.
And when you assign the visualforce scope, this cookie
is set.
Did this article solve your issue?
Let us know so we can improve!
Loading
Salesforce Help | Article
Cookie Consent Manager
General Information
Required Cookies
Functional Cookies
Advertising Cookies
General Information
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
