System.UserInfo.getSessionId() throws System.UnexpectedException

[krishnandusarkarprax]

Package Edition of Nebula Logger

Unlocked Package

Package Version of Nebula Logger

4.13.17

New Bug Summary

Package Edition of Nebula Logger
Unlocked Package

Package Version of Nebula Logger
4.13.17

New Bug Summary
When a user logs in through a server-to-server connected app with the setting "Issue JSON Web Token (JWT)-based access tokens for named users" enabled tries to use a Logger.xxx method, a Salesforce System Error is thrown.

Debugging reveals that the issue occurs when System.UserInfo.getSessionId() is called. Even with a try/catch block around this call, the code doesn't reach the catch block; instead, the error is thrown directly.

The only workaround is to disable the "Issue JSON Web Token (JWT)-based access tokens for named users" setting.

Defect #598 was reported a few months ago, leading to the resolution of adding a try/catch block around this code. However, despite the latest Salesforce Release (Winter '25) and Nebula Logger (version 4.13.17), the issue persists.

[jongpie]

@krishnandusarkarprax thanks for reporting this! Trying to get the user's session has been such a headache for years (issues #97 is another example where this came up ~3 years ago), and I haven't run into this particular issue myself before, so I appreciate the info & context.

Is it feasible for you to add this code snippet somewhere in your org (either in the Logger class somewhere, or one of your own Apex classes)? It just needs to be added in some Apex method that would be called in your scenario when you're using the setting "Issue JSON Web Token (JWT)-based access tokens for named users"

Integer currentSessionCount = [
    SELECT COUNT() FROM AuthSession
    WHERE UsersId = :System.UserInfo.getUserId() AND IsCurrent = TRUE
];
System.debug('Count of current sessions for the current user: ' + currentSessionCount);

If you're able to add that & run it, let me know what output you see. I'm wondering if the count will be 0 or 1 in this situation. If it ends up being 0, then I might be able to run that query first, and not call System.UserInfo.getSessionId() to avoid the uncatchable System.UnexpectedException error.

[arafesthain]

Hello

We are getting similar issue when user is logged in through connected app :

System.UnexpectedException: Script-thrown exception\n\n(System Code)\nClass.Logger.__sfdc_USER_SESSION_ID: line 95, column 1\nClass.Logger.loadTransactionQuiddity: line 3933, column 1\nClass.Logger:

[jongpie]

Hi @arafesthain - is that error something that you can reproduce in a sandbox/scratch org? If so, would it be possible for you to add this code somewhere in your own code to see what it outputs?

System.debug('Current quiddity: ' + System.Request.getCurrent().getQuiddity());

If that's feasible for you to try, let me know what it says for the quiddity value.

[Ben-Culver]

@jongpie I'm having the same issue. I've added the debug lines you've requested though I may not have placed one in the best spot. Please let me know if I should move it and try again or if you'd like me to do something else. I want to note that this is happening in a full copy sandbox, started after a recent refresh and does not appear to be happening in production.

I added one to the method that is throwing the error:

private static System.Quiddity loadTransactionQuiddity() {
    // An error can sometimes occur when calling System.Request.getCurrent(), such as when logging
    // from an Auth Provider class (that implements Auth.RegistrationHandler). As a workaround,
    // skip calling System.Request.getCurrent() if there is no user session.
    // TODO: see if there is a better approach for this long term (or hopefully Salesforce fixes the gack error)
      Integer currentSessionCount = [
              SELECT COUNT() FROM AuthSession
              WHERE UsersId = :System.UserInfo.getUserId() AND IsCurrent = TRUE
      ];
      System.debug('Count of current sessions for the current user: ' + currentSessionCount);
    if (String.isNotBlank(USER_SESSION_ID)) {
      return System.Request.getCurrent().getQuiddity();
    } else {
      return null;
    }
  }

DEBUG|Count of current sessions for the current user: 0

The other I added a REST resource handler class right before an error is logged:

System.debug('Current quiddity: ' + System.Request.getCurrent().getQuiddity());

|DEBUG|Current quiddity: REST

[jongpie]

@Ben-Culver thanks so much for testing that out! For now, I think where you put the System.debug calls is good enough, but will let you know if it'd be helpful to put them in a different place.

And just to clarify, when you get the error, is it the same error mentioned above? Or do you get a different exception message?

[Ben-Culver]

@jongpie It is, yes.

[victorkuldeep]

@jongpie - Issue in Session id is that it cannot be catched in TRY CATCH Block as it is Platform level exception. In JWT SAML tokens this issue will always come

We have added PATCH but that needs unmanaged package class to be deployed, we want to avoid it. One quick hot fix needed here. Appreciate if you can do it. Much needed

Give us a Hook here via LABEL -- we put apex class name and you load dynamic and get session id from there else use it if null

SIMPLE FIX FOR ALL

private static final String USER_SESSION_ID {
get {
if (USER_SESSION_ID == null) {
// TODO Spring '24 release - simplify this (and other lazy-loaded values)
// by switching to the fancy, new ?? null coalescing operator
try {
USER_SESSION_ID = System.UserInfo.getSessionId(); // ----------------------> HOOK NEEDED WE WILL SEND BACK SESSION ID BASED ON Quiddity Its like you dont pull session id direct here get it from HOOK via INTERFACR and give a LABEL to put CLASS NAME

    } catch (Exception ex) {
      USER_SESSION_ID = '';
    }
    // If System.UserInfo.getSessionId() returns null, set to an empty string to
    // avoid calling System.UserInfo.getSessionId() again
    USER_SESSION_ID = USER_SESSION_ID ?? '';
  }
  return USER_SESSION_ID;
}
set;

}

[jongpie]

@victorkuldeep can you clarify what you're suggesting? I don't understand how your proposal would work or solve the issue.

[victorkuldeep]

@jongpie - Let me clarify - The line in current code even though wrapped in try | catch block will throw exception in REST Api flow where access_token is generated by JWT or SAML flows in OAuth 2.0

CURRENT CODE - Below is code which has problem - USER_SESSION_ID = System.UserInfo.getSessionId();

private static final String USER_SESSION_ID {
    get {
      if (USER_SESSION_ID == null) {
        // TODO Spring '24 release - simplify this (and other lazy-loaded values)
        // by switching to the fancy, new ?? null coalescing operator
        try {
          USER_SESSION_ID = System.UserInfo.getSessionId();
        } catch (Exception ex) {
          USER_SESSION_ID = '';
        }
        // If System.UserInfo.getSessionId() returns null, set to an empty string to
        // avoid calling System.UserInfo.getSessionId() again
        USER_SESSION_ID = USER_SESSION_ID ?? '';
      }
      return USER_SESSION_ID;
    }
    set;
  }

Even though it is wrapped in Try, Catch Salesforce will throw below exception : System.UnexpectedException and this is platform exception which cannot be catched and it will blow up full logging chain. This is critical bug for M2M (machine to machine) flows

{
  "errorCode": "APEX_ERROR",
  "message": "System.UnexpectedException: Script-thrown exception\n\n(System Code)\nClass.Logger._sfdc_USER_SESSION_ID: line 95, column 1\nClass.Logger.loadTransactionQuiddity: line 3933, column 1\nClass.Logger: line 39, column 1\nClass.DummyNebulaAPI.doGet: line 11, column 1"
}

How to Harden the code -

Instead of directly using this - you gives us a Apex Hook via Label beacuse it is initlizing at static block so even before config loads it blows up the loggeder chain.

How we patched it - We used Apex : LoggerSessionGuard.cls to return session id to Nebula hence needed this Apex as Hook like you give us an interface with fetchSessionid or getSessionId method and we will implement interfact and gives you session id either token Or '' EMPTY_STRING and give us some place where we can configure that class name and you load it via Type class and call interface method and pass session id and if class name is not provided you continue to use current code.

try {
        //Issue - https://github.com/jongpie/NebulaLogger/issues/761
        USER_SESSION_ID = LoggerSessionGuard.getSafeSessionId(); // PATCH - Added by Accenture
        //USER_SESSION_ID = System.UserInfo.getSessionId();
} catch (Exception ex) {
    USER_SESSION_ID = '';
}

Conclusion - So this delegates to the user of Nebula to pass correct session id and let them handle M2M or JWT flows detection via username or custom logic which nebulla does not care. In this way package remains generic with Enterprise Grade Extension hook model and fallback will continue to work same way. So let implementor will pass sesison id and nebula can override it.

I hope i am able to explain it well feel free to reach me out we can discuss more if needed.
Regards,
Kuldeep Singh | https://www.linkedin.com/in/victorkuldeep/

[jongpie]

@victorkuldeep what does your LoggerSessionGuard class actually do though? How would it load a session ID without running into the same System.UnexpectedException?

It also seems... strange for Nebula Logger to have to provide an interface / dynamically load an org-specific class, just to load a session ID. Loading the session ID should be handled by Nebula Logger, I don't want to require orgs to have to add in their own class just for this.

[victorkuldeep]

@jongpie

Scenarios -

Yes i completely agree that looks like over engineering and below is sample class where i just ignored Session id completely for REST - this is just for illustration and we have AWS lambda functions too for research sandboxes where JWT tokens are issues via checking with Elantra id's and used for integrations or SAML tokens can also be generated by middle wares to integrate custom apps with SAAS. All of those custom Api leveraging nebula will break and need to be handled.

At this moment you cannot detect in generic way that what token is used to access resources and where Session Id is not available unless salesforce gives. Using a hook is up-to caller what session id they need to pass to logger or empty. This is one use case we found and later same construct can be used for more framework customizations that caller needs control on top of custom settings. Just think about it.

Using hook caller can detect user name and can send EMPTY_STRING or leverage token services to get token and pass to nebula to use in logger chain. There can be many scenarios, so i would recommended to use hook to get more custom data into logger and use as Environment Ovveride.

If not then give some configuration to avoid LoggerSessionGuard.getSafeSessionId() and replace with EMPTY_STRING. Currently its an unhandled exception. It works via Configuration flag also to make it EMPTY_STRING for specific users but where apps are integrated via SAML tokens or JWT this might not be full proof.

Current priority is to harden this not to break logger chain and final solution you can take a call.

Still i will say give a Hook and extend it a general purpose Environment Overrides and session id can be one use case.

But this needs a fix as it is breaking all apps running on JWT/SAML assertions unless salesforce gives a fix which is unknow.

In reality this is a Salesforce Bug throwing Unexpected Exception. Still plan something here as try/catch won't help

Sample Class to return EMPTY_SESSION_ID

/**
 * LoggerSessionGuard
 * ------------------
 * Tiny patch class to safely resolve UserInfo.getSessionId()
 * without crashing in M2M/REST contexts (JWT Bearer, SAML Bearer).
 *
 * Problem: In Quiddity.REST contexts, UserInfo.getSessionId() throws
 * System.UnexpectedException which is NOT catchable in Apex.
 * Nebula Logger's existing try/catch never fires.
 *
 * Solution: Check Quiddity BEFORE calling getSessionId().
 * Logger.cls calls this class — zero other changes needed.
 *
 * Issue: https://github.com/jongpie/NebulaLogger/issues/761
 */
public class LoggerSessionGuard {

    private static final Set<System.Quiddity> NO_SESSION_QUIDDITIES = new Set<System.Quiddity>{
        System.Quiddity.REST       // JWT / SAML Bearer — confirmed root cause
        // System.Quiddity.FUTURE,      // @future methods
        // System.Quiddity.QUEUEABLE,   // Queueable Apex
        // System.Quiddity.BATCH_APEX,  // Batch Apex
        // System.Quiddity.SCHEDULED    // Scheduled Apex
    };

    /**
     * Returns true if getSessionId() would throw UnexpectedException.
     * Call this BEFORE UserInfo.getSessionId().
     */
    public static Boolean isSessionUnavailable() {
        return NO_SESSION_QUIDDITIES.contains(
            System.Request.getCurrent().getQuiddity()
        );
    }

    /**
     * Safe wrapper — returns session ID or empty string.
     * Never throws. Call this instead of UserInfo.getSessionId() directly.
     */
    public static String getSafeSessionId() {
        if (isSessionUnavailable()) {
            return '';
        }
        try {
            return System.UserInfo.getSessionId() ?? '';
        } catch (Exception ex) {
            return '';
        }
    }
}

[mmablom]

@jongpie

@krishnandusarkarprax thanks for reporting this! Trying to get the user's session has been such a headache for years (issues #97 is another example where this came up ~3 years ago), and I haven't run into this particular issue myself before, so I appreciate the info & context.

Is it feasible for you to add this code snippet somewhere in your org (either in the Logger class somewhere, or one of your own Apex classes)? It just needs to be added in some Apex method that would be called in your scenario when you're using the setting "Issue JSON Web Token (JWT)-based access tokens for named users"

Integer currentSessionCount = [
SELECT COUNT() FROM AuthSession
WHERE UsersId = :System.UserInfo.getUserId() AND IsCurrent = TRUE
];
System.debug('Count of current sessions for the current user: ' + currentSessionCount);

If you're able to add that & run it, let me know what output you see. I'm wondering if the count will be 0 or 1 in this situation. If it ends up being 0, then I might be able to run that query first, and not call System.UserInfo.getSessionId() to avoid the uncatchable System.UnexpectedException error.

Since API version 64 there's a new field on AuthSession: (IsAssociatedWithJwtAccessToken)[https://developer.salesforce.com/docs/atlas.en-us.260.0.object_reference.meta/object_reference/sforce_api_objects_authsession.htm#:~:text=IsAssociatedWithJwtAccessToken]. In my tests for an API Only User I got one AuthSession object from the following query:

SELECT Id,
  IsCurrent,
  IsAssociatedWithJwtAccessToken,
  SessionType,
  UserType,
  LoginType,
  NumSecondsValid,
  CreatedDate,
  LastModifiedDate,
  ParentId,
  Users.Username
FROM AuthSession

The result:

AuthSession: {
  Id=123,
  IsCurrent=false,
  IsAssociatedWithJwtAccessToken=true, 
  SessionType=Oauth2, 
  UserType=Standard, 
  LoginType=Remote Access 2.0, 
  NumSecondsValid=7200, 
  CreatedDate=2026-04-21 11:44:41, 
  LastModifiedDate=2026-04-21 12:13:16, 
  UsersId=123
}

Unfortunately, while the this does return the current session, IsCurrent is false while IsAssociatedWithJwtAccessToken is true. Additionally, when this query is run as an admin it will return sessions for all users.

Some safe variant for this could be:

private static final Boolean IS_JWT_SESSION {
    get {
        if (IS_JWT_SESSION == null) {
            IS_JWT_SESSION = [
                SELECT IsAssociatedWithJwtAccessToken
                FROM AuthSession
                WHERE UsersId = :System.UserInfo.getUserId()
                ORDER BY LastModifiedDate DESC
                LIMIT 1
            ].IsAssociatedWithJwtAccessToken;
        }

        return IS_JWT_SESSION ;
    }
    set;
}

private static final String USER_SESSION_ID {
    get {
        if (USER_SESSION_ID == null) {
            try {
                USER_SESSION_ID = IS_JWT_SESSION 
                    ? ''
                    : System.UserInfo.getSessionId();
            } 
            catch (Exception ex) {
                USER_SESSION_ID = '';
            }

            USER_SESSION_ID = USER_SESSION_ID ?? '';
        }

        return USER_SESSION_ID;
    }
    set;
}

When debugging this via Apex REST with JWT either enabled or disabled, this provided the expected result for an API Only User. I could not discern when exactly the AuthSession is updated, so sorting by LastModifiedDate may not be optional. This may cause issues if there are other non JWT sessions active for the same user. A solution may be to query all sessions for the user and only determine we're in a JWT session if all other sessions also have IsCurrent set to false:

private static Boolean IS_JWT_SESSION {
  get {
    if (IS_JWT_SESSION == null) {
      Boolean hasCurrentSession = false;
      Boolean hasJwtSession = false;
      
      for (AuthSession session : [
        SELECT IsCurrent, IsAssociatedWithJwtAccessToken
        FROM AuthSession
        WHERE UsersId = :System.UserInfo.getUserId()
      ]) {
        if (session.IsAssociatedWithJwtAccessToken) {
          hasJwtSession = true;
        }
        else if (session.IsCurrent) {
          hasCurrentSession = true;
        }
      }
      
      IS_JWT_SESSION = !hasCurrentSession && hasJwtSession;
    }
    
    return IS_JWT_SESSION ;
  }
  set;
}

NB: Since this issue seems to be the root cause, I posted here. This is also based on the reply here: #964 (comment) (although I could not find the field Active on AuthSession)