Here are a few things to consider:
Is it possible that this page will be hosted on your site?
Is this going to be used by a number of different salesforce organisations?
To obtain a session id, one option is to use the login() API call. If the login fails, you'll be able to detect it and notify the user appropriately.
Elevate your career as a Salesforce Platform Developer with the industry-leading Salesforce Platform Developer1 Certification.
After that, the user must be redirected to the "frontdoor.jsp" page, which has the following format:
- https://[host].salesforce.com/secur/frontdoor.jsp?sid=[session_id]&retURL=[start_page]
Where:
- [host] - varies by organization. Some that I've seen are na1, na2, .... If you are only building this for 1 organization, you could hard-code this value. If you are building the for multiple organizations, you could parse it from the serverUrl property of the returned LoginResult.
- [session_id] - get this from the returned LoginResult
- [start_page] - this is optional but can be used to "deep link" a user to a page after they've logged in.
Edit: 2014-08-25
Salesforce now officially supports the frontdoor.jsp method of login described in this answer (link). In addition, session_ID tokens can be obtained from any of the following sources:
- The access_token from an OAuth authentication.Note that one of the scopes specified when you create a Connected App must be web or full.
- The LoginResult returned from a SOAP API login() call
- The Apex UserInfo.getSessionId()
