security token vs session id vs access token

A session ID identifies a user using the UI or an API/integration tool. It has a set time to live and may be manually expired by explicitly logging out. It may also be tied to a specific IP address, if configured. Session ID values are valid across all APIs, including SOAP and REST endpoints.

Access Tokens are used by Connected Apps and other OAuth-enabled apps (such as Chatter Mobile). These tokens also have a similar life span, but can also be refreshed with a Refresh Token if granted permission. This allows services to have long-lived connections to the user account, even if they log out of other devices. Like session IDs, you can use access tokens anywhere a session ID is valid.

Security Tokens are the only type of token a user actually needs to "remember". A security token grants access to the user's account from outside of their normal domain. This token is only necessary if the user's current IP address is not whitelisted, and will not allow users to access salesforce.com outside of their IP restrictions or login times. The token is always provided as part of the password: passwordtoken. There is no intervening space or other symbol that separates the two.


As I know:

Session Id: SessionId is obtaines when use login from web interface or does a soap api call. A session is bind by user login time and activity and expires after if user remain idle for specific time.

AccessToken: Access token is a part of standard OAuth flow. It allows to do operation on behalf of user which authorize a connected app or other apps according to permission defined. A time specific token work on behalf of user. It get expire after a period of time. Default is 3600 seconds. In case of Salesforce it is obtained according to OAuth 2.0 specifications. Unlike sessionid, accesstoken expires after a fixed time period.

Security token: Security token is an addition to user's password which allow access to organization without IP restrictions. A request made from white listed IP never requires security token but other requires. Relationship of security token with access token or session id is that, when request is made from non-whitelisted IP then security token need to append with user's passwork e.g; myPassword+mySecurityToken in request otherwise only password need to send for authorization and recieving access token or session id.