function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
rak1rak1 

Invalid Session id when access token used as client session id

Hi,
I have added oauth login to my application, i get access token after successful login...
I read in stackexchange that, we can also use access token as session id for the PHP Salesforce API
my code is as follows
            
            $location = $_SESSION['ws_endpoint'];
			$sessionId = $_SESSION['access_token'];
			
			// Process of logging on and getting a salesforce.com session
			$client = new SforcePartnerClient();
			$client->createConnection($wsdl);
			$client->setEndpoint($location);
			$client->setSessionHeader($sessionId);
			
			$service = new SoapClient($servicewsdl,array("trace" => 1, "soap_version" => SOAP_1_1));
			$sforce_header = new SoapHeader($_SESSION['ws_namespace'], "SessionHeader", array("sessionId" => $client->getSessionId()));
			$service->__setSoapHeaders(array($sforce_header));

$sessionId is accesstoken returned from oauth login redirect uri
it shows INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session
 
Sagar PareekSagar Pareek

This error message can be thrown in the following scenarios:

1) The affected integration is sharing credentials with a user or another integration. In this case, if the user or the other integration log out of Salesforce.com while the first integration is running, the existing Session ID will be invalidated, and the integration will get the INVALID_SESSION_ID error message the next time it tries to send a message to the Salesforce API.

To solve this problem, avoid sharing credentials and make sure each integration application or user use their own username.

2) One integration is making concurrent calls and not handling the session ID status. Integrations that make concurrent API calls and issue logout calls run a higher risk of receiving INVALID_SESSION_ID errors. For example, if the integration performs the following operations, in this order:

Login
Create
Logout
An operation may attempt to issue a create call even though the other operation has logged out, resulting in an INVALID_SESSION_ID.

Concurrency is not explicitly supported in the Web Services API and the scenario described above is not recommended. However, in some cases, multiple API requests may issue concurrent calls under the same username (i.e. possibly using the same session).  For example, one user may be using the Outlook Edition plugin and a third-party integration at the same time.

Any API calls should handle the INVALID_SESSION_ID gracefully by implementing exception handling.  There are common patterns for handling this problem:

Bubbling the error up to the user, prompting for the username and password, and issuing another login call.
Implement a session Id pooling mechanism, whereby the integration is checking the pool of session Ids, rather than issuing login() or logout() calls on a regular basis.
Issue a "ping", such as getServerTimestamp(), to check if the session Id is valid.  If it is valid, proceed with the call.  If it is not valid, attempt to retry the login automatically.
In all cases, extreme caution should be used with regard to storing usernames, passwords, and session Ids.  Consult with a security professional if the level of security in the implementation is in question.
rak1rak1
that means, my code is correct, i get this error message because of login as the same user in another oauth mechanism
but i always clear my session & cookies before testing
Is the process is correct or not (Using access token as session id)?

I'm calling a webservice after that
my code works fine, if i use custom login screen with username, password, security token (PHP API)
(can you also tell me that which editions require security token while login to thirdparty applications - I think every edition has this setting enable/disable manner)
Now i want to use it with oauth...
And this gives me this error