I am writing an app for salesforce, and I am using OAuth 2 web server flow to authenticate the app. When I look at the sid inside the salesforce SID cookie it's different from access token I get through OAuth. I verified that with both SID and access token I can access the API. What is the difference between using the SID and access token. Is their access level different? Their expiration is different? I was under the impression that the value of both should be the same. I was surprised when I saw they are different but I can use both to access the API.
1
votes
1 Answers
1
votes
The OAuth session will have the level of access as defined by the scope that is was created with. If it has the web or full scopes then it can be used to access the standard Salesforce UI in the same way the the sid cookie can.
They are however separate/distinct sessions. This allows one to logout without affecting the other. For instance, you probably wouldn't expect you active web session to end if you logout of a third party app/tool that is only interacting with the API.
You can learn a bit about the types of session from the User Session Information page at: Setup > Administration Setup > Security Controls > Session Management.
See also: Understanding User Session Information
