Login to Lightning enabled Salesforce instance using SessionId

If you have session Id, then you could login to Salesforce directly using below URL hack :

https://[intance].salesforce.com/secur/frontdoor.jsp?sid=[sessionId]

on above URL, you have to replace [instance] by actual salesforce instance name and [sessionId] by actual sessionId of user.

In same way, we can directly login to portals or communities using below URL hack

https://[instance].salesforce.com/secur/frontdoor.jsp?sid=[sessionid]&orgId=[orgId]&portalId=[portalOrCommunityId]

I tried to see, how can we login to Salesforce after Lightning design is enabled in Salesforce and found that below URL hack actually works, assuming we want to open Opportunity record after successful login. If you don’t want to redirect on any existing lightning page or record then you can simply ignore URL part after [SessionId]

https://[instance].salesforce.com/one/one.app?sid=[SessionId]#/sObject/006B0000002p2FrIAI/view

Note : You have to be very careful while using SessionId, If its publicly available then anyone can have access to your Salesforce Org.

Related posts

  • Radnip

    Interesting hack! Even more of a reason to protect your org using IP restrictions and not to attempt to bypass the standard Salesforce security as the session Id is exposed in your browser so in theory any trogen could grab it.