function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Invalid Session Id error message - inconsistencies

We're testing our in-house appexchange version of our app within by configuring a web tab of type url as follows:
In my developer org, when I click my web tab, I get the following error:
INVALID_SESSION_ID:Invalid Session ID found in SessionHeader: Illegal Session
However, when my co-worker tested the same link in his developer org, it works!
Any reason why it would behave inconsistently? thanks!
Steven LawranceSteven Lawrance
Hi ks_sfdc,

The session ID in the web tab may contain URL-encoded characters that need to be URL-decoded before being sent back to via the API. Tell-tale signs of URL-encoded characters are + signs and hexadecimal digits that are preceded by a % sign, such as %6F. Some session IDs may have = signs in them, which the URL encoder at should turn into %3D. This might be handled by the servlet library for you if you are getting the session ID query parameter through a query string parameter accessor object, but if you are extracting the session ID manually from the full URL or URI string, then you will need to URL-decode it.

Are you URL-decoding the session ID before sending it back to It's possible to debug your JSP, log that line, or write it out to System.out/err, depending on what makes sense for your runtime environment.

Strictly speaking from a wire-level perspective, the session ID will be XML-encoded when sent back to due to SOAP so that characters like < will be encoded to &lt;, but that is typically handled by the SOAP library for you. The encoding schemes used by URL query strings and XML are different.

Hopefully, this helps.

I wonder if the two developer orgs are on different servers ( versus, as an example). It should work either way, but that might be helpful to know if this needs to be turned into a support case.

Message Edited by Steven Lawrance on 08-01-2007 10:44 AM


hi Steven,

thanks for responding. I'm in the process of getting verification on whether we are url-decoding the session id or not. 

To answer your 2nd question - I took a look at the orgs and the 2 developer orgs are in fact, different. I get the error on na5 while the one on na4 works fine. I signed up for another developer org just for testing purposes, it got created on na5 and I got the same error again.



I am the developer representing the original post :

This is what we have added :

  • Session Id is initially retrieved from the request recieved.
  • Its then passed through RequestUtil's URLDecode method which will decode it and take care of any special characters

But this still gives an error. Any thoughts ?

Note : As mentioned in the above post, we never have issues with a particular user's org.So what can we conclude ? Where else can our bug be ?


Milan Doshi


Does the org that has problems have the "restriction sessions to their originating IP" feature turned on ?
No. That option in Session Settings (Lock sessions to the IP address from which they originated)  is unchecked.
Just from what we have observed,for develoepr's who have their org on na4 seems to have no issues, but for those on na5 / na1 have this 'Invalid Session Id' issue.
Again, we just have few orgs and hence not sure if its anything to do with na1/ na5 etc.
Steven LawranceSteven Lawrance
Web tabs and other features are extensively tested, but just to see it for myself, I tried this out on a new developer edition organization that I created on na5 and verified that this use case works properly. The issue that you are seeing might exist in the organization configuration, though I'm not quite sure what it could be outside of what was already discussed on this thread.

I created a simple PHP5 script on my server that writes out the server's timestamp information from a SOAP call. PHP5 automatically unescapes query string parameters. When I click on my custom web tab, I see "The server's time is 2007-08-03T04:54:04.299Z" with my code.

My webtab.php code exists in the following lines. My web tab link's URL, with my domain information removed to eliminate the chance that customer session IDs will appear in my server logs, is


# Create the SOAP client
$client = new SoapClient("/etc/apache2/salesforce-partner9.wsdl", array("encoding"=>"UTF-8", "location"=>$_GET["url"]));

# Set the session ID
$sessionHeader = new SoapHeader("", "SessionHeader", (object)array("sessionId"=>$_GET["sessionId"]));

# Get the server timestamp
try {
    echo "The server's time is " . $client->getServerTimestamp()->result->timestamp;
} catch (Exception $e) {


Out of curiosity, which SOAP client library and version are you using?

If you have PHP5 on a server, can you give this script a try to see if it's the organization or the JSP page? You might need to adjust the path to the partner WSDL file in the code.


Thanks Steven for the reply. I too feel it has niothing to do with na5/ na1, but then what else can it be ?

We do not have PhP capabilities here.We are using JDK1.5 and Apache SOAP Axis 1.4.

This is how our URL looks :




Steven LawranceSteven Lawrance
Hi Milan,

I'm not sure if the message board software is doing something strange with your URL, but when I pasted mine in, it formatted correctly. Is your URL inside of a HTML tag in the web tab's definition, such as an anchor <a href=""> link? I had my URL formatted in exactly as


with no tags or links; it was exactly that with no < or > characters in it. I'm wondering if that might be the cause, just in case if the session ID being sent is exactly "{!API.Session_ID".  Because the link has to be defined in each organization manually, that might possibly be the cause, but this is a wild guess.

If you're using HttpServletRequest.getParameter to read the queryString, i believe it already handles URL decoding, so you may be double decoding.
An other thing to check would be that you're actually handling the serverUrl correctly from the queryString, and not always sending the request to na4.

Simon, you the man!

It seems that one of the developer had started using TCPMon to see the Salesforce XML Request / Response logs. It was pointing to na4 !!! Its been resolved now. I am pasting the resolution here so that all absent minded dev like us can benifit and avoid unnecessary debugging :)

Thanks once again to Steven and Simon,



salesforce intesalesforce inte

we found the same error when logged in with free developer edition api access from dotnet


INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session


Amit Lohogaonkar

Steven LawranceSteven Lawrance
Hi Amit,

Are you accessing the correct server? You should log in using as the endpoint and then switch the endpoint URL to the one returned in LoginResult.serverUrl. If you are using an endpoint other than the one returned in the LoginResult, then you will likely get that error message.

Is your code already doing the above and getting this error?