Thursday, January 31, 2013

Getting INVALID_SESSION_ID using Salesforce's SOAP based API

For those of you consuming Salesforce SOAP API.

The more calls you make, the more errors you'll get (if you're using the same user to perform this calls)

This is a brief description of what happened to me:
I implemented a process to perform Realtime user provisioning by using Salesforce SOAP based API calls. In a few words this is my process:
  1. Login
  2. Generate User Account (Using Connection.upsert)
  3. Verify if User already exists (query User) to determine if next step will be Update or Insert
  4. Upsert (Insert or Update) User
  5. Upsert (Using Connection.upsert) other related objects (custom)
  6. Logout

This process gets invoked when performing SSO, therefore I get as many executions of this process as users try to access my portal.

There is no pattern on this issue.

This is the error I see in my PingFederate logs: [UnexpectedErrorFault [ApiFault exceptionCode='INVALID_SESSION_ID' exceptionMessage='Invalid Session ID found in SessionHeader: Illegal Session. Session not found, missing session key' ...

After login is been performed (could be before executing any step before Logout or during Logout) This error is generating incomplete user/accounts in Salesforce (Some objects are not created due to this error)


After a few calls and emails with salesforce Developer Support, I got a clear and simple answer:

"There is no implication by calling only login and no logout()"
"Client applications do not need to explicitly log out to end a session. Sessions expire automatically after a predetermined length of inactivity".

Then, instead of over-thingking this problem and design some complex solutions, just like: Implementing a connection pooling mechanism or making singleton my Connection object. The answer was easier than I thought. Don't call Logout and Login as many times as you need. You'll get the same Session_Id (your session will be refreshed on Salesforce and will remain active), letting Salesforce kill it when I'm not using it.

Cool!

3 comments:

  1. I'm not completely clear on the solution. Are you saying that with the Safesforce Enterprise SOAP usage, clients never need to call logout?

    I have a lot of various applications that run in different process spaces that all use the Enterprise SOAP are you saying that in each of these apps I can just create a new EnterpriseConnection, login, do any amount of work and then just let the EnterpriseConnection instance just go out of scope? E.g. I should not call logout before it goes out of scope?

    ReplyDelete
    Replies
    1. Just don't call logout explicitly. Let their (Salesforce) application servers kill your session. Eventually it will timeout if is inactive more than 30 minutes. Just like with any typical J2EE Web Application, their servlet container will invalidate your session. Since the communication is stateful with them.

      Delete