Understanding Session Settings in Salesforce: A Complete Guide

Leave a Comment / Blog / By

Understanding Session Settings in Salesforce: A Complete Guide

Security is one of the top priorities in Salesforce. While profiles, permission sets, and sharing rules define who can access what, there’s another equally important layer of protection: Session Settings.

Session Settings control how long and under what conditions a user session remains active, along with additional security features that protect your Salesforce org against unauthorized access, session hijacking, and phishing attacks.

In this blog, we’ll explore:

  1. What Session Settings are.
  2. Why we need them.
  3. A detailed breakdown of each feature.
🔹 What are Session Settings in Salesforce?

A session in Salesforce is the duration a user is logged in and actively working. Session Settings allow administrators to define policies for login sessions, such as:

  • How long users can stay logged in.
  • When a session should automatically expire.
  • Which security measures should be enforced during user activity.

This helps maintain a balance between user convenience and data security.

🔹 Why do we need Session Settings?

We need Session Settings to:

  • Prevent unauthorized access if a user forgets to log out.
  • Protect against session hijacking (e.g., cookie stealing).
  • Enforce organization-level compliance with security standards.
  • Provide flexibility for different use cases (e.g., stricter rules for service agents vs. relaxed rules for admins working long hours).

In short: Session Settings ensure security without compromising productivity.

🔹 Key Features of Session Settings in Salesforce

Here’s a breakdown of the important features you can configure:
          1. Session Timeout

  • Defines how long a session can remain inactive before the user is automatically logged out.
  • Options range from 15 minutes to 24 hours.
  • Helps reduce risk when users leave their computers unattended.

👉 Example: Set 30 minutes timeout for call center agents to ensure quick logout if they step away.

         2. Force Logout on Session Timeout

  • If enabled, users are logged out immediately when the timeout occurs.
  • If disabled, users can continue working after re-authentication.
  • Best practice: Keep it enabled for security.

    3. Lock sessions to the IP address from which they originated

  • Ensures that the session remains valid only for the IP address where it started.
  • Protects against session hijacking, but can create issues if users switch networks frequently (e.g., from Wi-Fi to mobile).

    4. Lock sessions to the domain in which they were first used

  • Restricts a session to the Salesforce domain where the login occurred.
  • Prevents attackers from moving an authenticated session to a fake domain.

    5. Enable Clickjack Protection

Clickjacking is an attack where malicious sites trick users into clicking hidden Salesforce buttons.

  • You can enable protection for:
    • Standard Salesforce pages
    • Non-setup pages
    • Setup pages
    • Custom Visualforce pages
  • Best practice: Enable for all critical areas.

    6. Enable CSRF Protection on GET Requests

  • Protects against Cross-Site Request Forgery (CSRF) by blocking state-changing actions via GET requests.
  • Ensures that sensitive operations require POST requests with a valid token.

    7. Enable Browser Cache Security

  • Prevents sensitive Salesforce pages (like Setup or Record Edit) from being cached by the browser.
  • Reduces the risk of data exposure if someone else uses the same computer.

    8. Enable HTTPOnly and Secure Cookies

  • HTTPOnly cookies prevent client-side scripts from accessing session cookies (protecting against XSS attacks).
  • Secure cookies ensure cookies are only transmitted over HTTPS.

    9. Enable Content Sniffing Protection

  • Prevents browsers from interpreting files as a different MIME type than declared.
  • Protects against malicious scripts being disguised as harmless files.

    10. Require HttpOnly Attribute

  • Ensures that all session cookies are flagged as HttpOnly.
  • Protects cookies from being accessed by JavaScript.

    11. Require Secure Connections (HTTPS)

  • Ensures all traffic uses SSL/TLS (HTTPS) instead of HTTP.
  • Protects sensitive data like credentials and session tokens from being intercepted.

    12. Enable CORS and CSP (Content Security Policy)

  • CORS: Defines which domains are allowed to access Salesforce APIs.
  • CSP: Prevents malicious scripts and enforces safe resource loading.
  • Great for preventing cross-site attacks.

    13. Login-As Session Settings

  • Controls what admins can do when they log in as another user.
  • Ensures accountability and prevents misuse of delegated access.

    14. Session Security Levels

  • Salesforce allows marking sessions as High Assurance or Standard.
  • High Assurance sessions may require multi-factor authentication (MFA).
  • Example: Accessing sensitive apps like FinancialForce or Health Cloud may require a High Assurance session.

    15. Custom Domain Enforcement (My Domain)

  • Sessions are tied to your org’s My Domain.
  • Prevents login through generic Salesforce domains.
  • Adds another layer of phishing protection.
🔹 Best Practices for Configuring Session Settings
  1. Set shorter session timeouts for high-risk users (e.g., call center agents).
  2. Always enable Force Logout on Timeout.
  3. Enable Clickjack protection for all pages.
  4. Use HTTPS and Secure Cookies without exception.
  5. Implement MFA with High Assurance sessions.
  6. Lock sessions to IP/domain only if your users don’t move across networks often.
✅ Conclusion

Session Settings in Salesforce provide critical safeguards for your org by defining how user sessions behave, ensuring data protection, and reducing security risks. With the right configuration, you can strike the perfect balance between security and user productivity.

 

Leave a Comment

Your email address will not be published. Required fields are marked *