
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
Starting with the Winter '15 release, Salesforce no longer allows guest users to retrieve a valid session ID using the UserInfo.getSessionId() Apex method. When this method is called in the context of a guest user, it returns NULL or triggers an INVALID_SESSION_ID error.
This change was made intentionally for security reasons. Previously, it was possible to use a guest user session ID to authenticate OAuth requests, which was an unintended behavior. Salesforce corrected this to prevent guest user session IDs from being set or used in ways that could expose organization data.
If your integration or code relies on authenticating a guest user via OAuth using UserInfo.getSessionId() as an Authorization header, it will fail with the INVALID_SESSION_ID error.
Before Winter '15, developers could use UserInfo.getSessionId() in code running as a guest user to pass as an OAuth Authorization header in HTTP requests. For example, a developer would retrieve the session ID and pass it in an HTTP request header as: Authorization: OAuth [session_id_value]. This approach was an unintended security loophole.
Salesforce corrected this behavior in Winter '15. Calling UserInfo.getSessionId() as a guest user now returns NULL or raises an INVALID_SESSION_ID error. This change ensures that guest user sessions cannot be used to create unauthorized authenticated API calls.
There is no recommended workaround for retrieving a guest user session ID. Affected customers must update their integration or custom Apex code to remove the dependency on guest user session IDs. Consider using Named Credentials or a dedicated service account with appropriate permissions for server-to-server integrations instead.
000387009