function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Callout security using session id

I am planning to make a callout from SF to a corporate webservice.  The corporate webservice needs to verify that the incoming call is from a valid SF user in our org.  I would like to authenticate without using certificates.  The plan is to use Apex to pass the active SF user's session id in the callout to the corporate webservice.  The corporate webservice will then use the SF API to query SF and validate the session is active and the org is correct (without logging in, just using the session id).  The session expires in 2 hours and all SF users have restricted IP ranges so they can only connect to SF from our corporate network.


My concern is with that session id, a hacker spoofing the IP address could connect to SF and have the full security of the user's profile and could update SF tables through the API until the session expires (2 hours).  Is this a valid concern?  Can anyone improve on this?



Spoofing an IP address is not that easy, first of all.  That aside, you can generate a session ID that is specific to a certain package and has very specific rights, so you can lock down what sort of access it has.  Another option is to assign a user to the corporate web service itself, and rather than passing a session ID, just pass the user ID and whatever other info is needed, and let the web service authenticate itself as itself -- then you can use the standard Profile paradigm to restrict access, and you're not passing any session ID over the wire.