Print this page

Guest user session ID returned NULL in UserInfo.getSessionId()

Knowledge Article Number 000204984
Description The error, "INVALID_SESSION_ID" indicates that you're trying to authenticate a guest user to a user in your site using OAuth. Previously, this was allowed but was an unintended loop hole and has since been fixed.

Resolution Before Winter 15, it was possible to get the session id for the guest user by using these codes:
HttpRequest req = new HttpRequest();
req.setHeader('Authorization', 'OAuth ' + UserInfo.getSessionId());

Now, an error code saying "INVALID_SESSION_ID" is returned if you try to get the session ID of the guest user.

This change ensures that you can still create a guest user session, but doesn't allow a guest session ID to be set or created for organization security.

There are no recommended workarounds. Affected customers will need to adjust their integration to not rely on a guest user session ID.

promote demote