Guest user session ID returned NULL in UserInfo.getSessionId()
|Knowledge Article Number||000204984|
|Description||The error, "INVALID_SESSION_ID" indicates that you're trying to authenticate a guest user to a user in your site using OAuth. Previously, this was allowed but was an unintended loop hole and has since been fixed.
|Resolution||Before Winter 15, it was possible to get the session id for the guest user by using these codes:
HttpRequest req = new HttpRequest(); req.setHeader('Authorization', 'OAuth ' + UserInfo.getSessionId());
Now, an error code saying "INVALID_SESSION_ID" is returned if you try to get the session ID of the guest user.
This change ensures that you can still create a guest user session, but doesn't allow a guest session ID to be set or created for organization security.
There are no recommended workarounds. Affected customers will need to adjust their integration to not rely on a guest user session ID.