function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
ks_sfdcks_sfdc 

Invalid Session Id error message - inconsistencies

Hi,
 
We're testing our in-house appexchange version of our app within salesforce.com by configuring a web tab of type url as follows:
 
 
In my developer org, when I click my web tab, I get the following error:
INVALID_SESSION_ID:Invalid Session ID found in SessionHeader: Illegal Session
 
However, when my co-worker tested the same link in his developer org, it works!
 
Any reason why it would behave inconsistently? thanks!
 
KS
Steven LawranceSteven Lawrance
Hi ks_sfdc,

The session ID in the web tab may contain URL-encoded characters that need to be URL-decoded before being sent back to Salesforce.com via the API. Tell-tale signs of URL-encoded characters are + signs and hexadecimal digits that are preceded by a % sign, such as %6F. Some session IDs may have = signs in them, which the URL encoder at Salesforce.com should turn into %3D. This might be handled by the servlet library for you if you are getting the session ID query parameter through a query string parameter accessor object, but if you are extracting the session ID manually from the full URL or URI string, then you will need to URL-decode it.

Are you URL-decoding the session ID before sending it back to Salesforce.com? It's possible to debug your JSP, log that line, or write it out to System.out/err, depending on what makes sense for your runtime environment.

Strictly speaking from a wire-level perspective, the session ID will be XML-encoded when sent back to Salesforce.com due to SOAP so that characters like < will be encoded to &lt;, but that is typically handled by the SOAP library for you. The encoding schemes used by URL query strings and XML are different.

Hopefully, this helps.

I wonder if the two developer orgs are on different servers (na4.salesforce.com versus na5.salesforce.com, as an example). It should work either way, but that might be helpful to know if this needs to be turned into a support case.

Message Edited by Steven Lawrance on 08-01-2007 10:44 AM

ks_sfdcks_sfdc

hi Steven,

thanks for responding. I'm in the process of getting verification on whether we are url-decoding the session id or not. 

To answer your 2nd question - I took a look at the orgs and the 2 developer orgs are in fact, different. I get the error on na5 while the one on na4 works fine. I signed up for another developer org just for testing purposes, it got created on na5 and I got the same error again.

thanks.

MilanMilan

I am the developer representing the original post :

This is what we have added :

  • Session Id is initially retrieved from the request recieved.
  • Its then passed through RequestUtil's URLDecode method which will decode it and take care of any special characters

But this still gives an error. Any thoughts ?

Note : As mentioned in the above post, we never have issues with a particular user's org.So what can we conclude ? Where else can our bug be ?

Thanks,

Milan Doshi

 

SuperfellSuperfell
Does the org that has problems have the "restriction sessions to their originating IP" feature turned on ?
ks_sfdcks_sfdc
No. That option in Session Settings (Lock sessions to the IP address from which they originated)  is unchecked.
 
-KS
MilanMilan
Just from what we have observed,for develoepr's who have their org on na4 seems to have no issues, but for those on na5 / na1 have this 'Invalid Session Id' issue.
 
Again, we just have few orgs and hence not sure if its anything to do with na1/ na5 etc.
 
Thanks,
Milan
Steven LawranceSteven Lawrance
Web tabs and other features are extensively tested, but just to see it for myself, I tried this out on a new developer edition organization that I created on na5 and verified that this use case works properly. The issue that you are seeing might exist in the organization configuration, though I'm not quite sure what it could be outside of what was already discussed on this thread.

I created a simple PHP5 script on my server that writes out the server's timestamp information from a SOAP call. PHP5 automatically unescapes query string parameters. When I click on my custom web tab, I see "The server's time is 2007-08-03T04:54:04.299Z" with my code.

My webtab.php code exists in the following lines. My web tab link's URL, with my domain information removed to eliminate the chance that customer session IDs will appear in my server logs, is
https://www/webtab.php?url={!API.Partner_Server_URL_90}&sessionId={!API.Session_ID}

<?

# Create the SOAP client
$client = new SoapClient("/etc/apache2/salesforce-partner9.wsdl", array("encoding"=>"UTF-8", "location"=>$_GET["url"]));

# Set the session ID
$sessionHeader = new SoapHeader("urn:enterprise.soap.sforce.com", "SessionHeader", (object)array("sessionId"=>$_GET["sessionId"]));
$client->__setSoapHeaders(array($sessionHeader));

# Get the server timestamp
try {
    echo "The server's time is " . $client->getServerTimestamp()->result->timestamp;
} catch (Exception $e) {
    print_r($e);
}

?>

Out of curiosity, which SOAP client library and version are you using?

If you have PHP5 on a server, can you give this script a try to see if it's the organization or the JSP page? You might need to adjust the path to the partner WSDL file in the code.

MilanMilan

Thanks Steven for the reply. I too feel it has niothing to do with na5/ na1, but then what else can it be ?

We do not have PhP capabilities here.We are using JDK1.5 and Apache SOAP Axis 1.4.

This is how our URL looks :

http://servername/DBSalesForce.jsp?serverUrl={!API.Partner_Server_URL_90}&sessionId={!API.Session_ID}

Thanks,

Milan

Steven LawranceSteven Lawrance
Hi Milan,

I'm not sure if the message board software is doing something strange with your URL, but when I pasted mine in, it formatted correctly. Is your URL inside of a HTML tag in the web tab's definition, such as an anchor <a href=""> link? I had my URL formatted in Salesforce.com exactly as

https://www/webtab.php?url={!API.Partner_Server_URL_90}&sessionId={!API.Session_ID}

with no tags or links; it was exactly that with no < or > characters in it. I'm wondering if that might be the cause, just in case if the session ID being sent is exactly "{!API.Session_ID".  Because the link has to be defined in each organization manually, that might possibly be the cause, but this is a wild guess.


SuperfellSuperfell
If you're using HttpServletRequest.getParameter to read the queryString, i believe it already handles URL decoding, so you may be double decoding.
SuperfellSuperfell
An other thing to check would be that you're actually handling the serverUrl correctly from the queryString, and not always sending the request to na4.
MilanMilan

Simon, you the man!

It seems that one of the developer had started using TCPMon to see the Salesforce XML Request / Response logs. It was pointing to na4 !!! Its been resolved now. I am pasting the resolution here so that all absent minded dev like us can benifit and avoid unnecessary debugging :)

Thanks once again to Steven and Simon,

Regards,

Milan

salesforce intesalesforce inte

we found the same error when logged in with free developer edition api access from dotnet

 

INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session

 

Amit Lohogaonkar

Amit@varstreet.com

Steven LawranceSteven Lawrance
Hi Amit,

Are you accessing the correct server? You should log in using https://www.salesforce.com/services/Soap/u/10.0 as the endpoint and then switch the endpoint URL to the one returned in LoginResult.serverUrl. If you are using an endpoint other than the one returned in the LoginResult, then you will likely get that error message.

Is your code already doing the above and getting this error?