+ Start a Discussion
Gino BassoGino Basso 

Should clicking the logout link in the SF UI result in a new session id when you log back in?

I've setup a simple S-control (see below) that shows me the current session id (as provided by {!$Api.Session_ID}).
 
When I logout and log back in through the UI (i.e. clicking on the Logout link at the top of the page) I'm seeing the same session id.
 
This happens even after I close my browser (though I do have other browser windows open to other sites).
 
Not only that, but I even went so far as to login (with the same username) on a co-worker's machine and ended up with the same session id!
 
I'm using a Developer sandbox if that makes any difference.
 
My expectation is that if the user explicitly clicks the logout link and then logs back in that a new session id should result...
 
Thanks in advance.
 
S-Control:
 
Code:
<html> 
<head> 
<script src="/soap/ajax/14.0/connection.js"></script> 
<script src="/soap/ajax/14.0/apex.js"></script> 
<script language="JavaScript" type="text/javascript"> 

function init() 
{ 
var session = "{!$Api.Session_ID}"; 
document.write('<font face="Arial" font size="1"/>'); 
document.write("<p>"); 
document.write(session); 
document.write("</p>"); 
} 
</script> 
</head> 
<body onload=init()> 
<p>blah</p> 
</body> 
</html
werewolfwerewolf
The behavior of the session ID has changed over the years.  The behavior you're describing used to be true, but is not necessarily true anymore.  There's nothing inherently wrong with getting the same session ID provided Salesforce.com knows you have logged out (which it does).
Gino BassoGino Basso
I guess it's not consistent then because in conducting the same tests today the session ID is changing with each logout.
 
Not only that, but two different S-controls show different session IDs (???).
 
I guess I can't help wonder if there's something amiss with the latest platform upgrade (Winter '09?).
SuperfellSuperfell
The relationship between users/sessions and how those sessions are obtained are undocumented and subject to change. If you're going to rely on perceived patterns in sessions, you're setting yourself up for trouble, you should only rely on the information obtained from an API call using the session, and not decide anything on the actual sessionId itself.
Gino BassoGino Basso
We were 'relying' on the session id changing after an explicit user logout as a means of negating certain cached configuration data (this is all in the context of a Flex application). More specifically, we want to be able to tell our client that if a configuration change is made in Salesforce the user need only logout and log back in for the change to take effect.
 
Frankly this seems like a resonable assumption - the session changing after an explicit logout. Otherwise, why have the option at all?
 
That said, the session has to expire eventually anyways based on the Setup option in Salesforce, at which point the cached data would be refreshed.
 
Finally, some subsequent testing has led me to speculate that the session id remains unchanged if you just close the browser rather than explicitly logging out. Once this happens it seems that explicitly logging out has no effect - you get the same session id as before until (presumably?) the session expires.
 
Thanks to all who replied.