Loading

Guest user session ID returned NULL in UserInfo.getSessionId()

Data pubblicazione: Jun 3, 2026
Descrizione

Background

Starting with the Winter '15 release, Salesforce no longer allows guest users to retrieve a valid session ID using the UserInfo.getSessionId() Apex method. When this method is called in the context of a guest user, it returns NULL or triggers an INVALID_SESSION_ID error.
This change was made intentionally for security reasons. Previously, it was possible to use a guest user session ID to authenticate OAuth requests, which was an unintended behavior. Salesforce corrected this to prevent guest user session IDs from being set or used in ways that could expose organization data.
If your integration or code relies on authenticating a guest user via OAuth using UserInfo.getSessionId() as an Authorization header, it will fail with the INVALID_SESSION_ID error.

Risoluzione

Why the Error Occurs

Before Winter '15, developers could use UserInfo.getSessionId() in code running as a guest user to pass as an OAuth Authorization header in HTTP requests. For example, a developer would retrieve the session ID and pass it in an HTTP request header as: Authorization: OAuth [session_id_value]. This approach was an unintended security loophole.

Current Behavior

Salesforce corrected this behavior in Winter '15. Calling UserInfo.getSessionId() as a guest user now returns NULL or raises an INVALID_SESSION_ID error. This change ensures that guest user sessions cannot be used to create unauthorized authenticated API calls.

Recommended Action

There is no recommended workaround for retrieving a guest user session ID. Affected customers must update their integration or custom Apex code to remove the dependency on guest user session IDs. Consider using Named Credentials or a dedicated service account with appropriate permissions for server-to-server integrations instead.

Numero articolo Knowledge

000387009

 
Caricamento
Salesforce Help | Article