function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Fakeha QuaziFakeha Quazi 

Is using $Api.Session_ID in visualforce page to be used in force.com site vulnerable?

I am using $API.Session_Id in script in a VF page. I will be using this page for guest users. This {!$Api.session_id} returns some value. Is it a wrong way to get session id as this page will be used for site Guest users? Is it vulnerable?
<apex:page controller="ABCcntr"><script> var token={!$Api.Session_ID}</script> </apex:page>
VinayVinay (Salesforce Developers) 
Hi Fakeha,

Do you see any INVALID_SESSION_ID error? As per below article,  Before Winter 15, it was possible to get the session id for the guest user.

https://help.salesforce.com/s/articleView?id=000335516&type=1

You can use something like below. 
<script type="text/javascript">sforce.connection.sessionId = "{!$Api.Session_ID}";</script>
Please mark as Best Answer if above information was helpful.

Thanks,
Fakeha QuaziFakeha Quazi
Hi Vinay,

I am getting some value in {!$Api.Session_ID} when page runs for Guest users.
My question is SF do not give access to session id, so why it works. Is it vulnerable?

Thanks,
Fakeha
VinayVinay (Salesforce Developers) 
Strange and not sure how it is working,  however this might not be a vulnerale but not a best practice.  You can log a case with salesforce to further debug the issue on how this is working.

Hope this helps...

Thanks,
sfdcfoxsfdcfox
Every transaction in Salesforce is run by some user, full stop. When a session is created for a user that's not logged in, they're a Guest User. Note that their permissions will be limited by the portal's security settings, the Guest User's profile settings, and the External Sharing Model for the various objects you've configured. Assuming your security is set up correctly, there is no additional vulnerability concerns about having the Session ID of a Guest User in the portal. Also, remember that the Session ID will be visible in the browser's cookies, anyway, so it's not an additional vulnerability.