Newer Version Available
Modify Session Security Settings
| Available in: Lightning Experience and Salesforce Classic (not available in all orgs) |
|
The Lock sessions to the IP address from which they originated setting is available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions All other settings available in: Essentials, Personal, Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions |
| User Permissions Needed | |
|---|---|
| To modify session security settings: | Customize Application |
- Configure Session Timeout Settings
- Configure Session Settings
- Configure Secure Connections (HTTPS) Settings
- Configure Caching Settings
- Configure Clickjack Protection Settings
- Cross-Site Request Forgery Protection
- Configure Content Security Policy Protection
- Configure Extra Protection for Your Sessions
- Configure Session Security Levels
- Configure High Assurance Sessions for Reports, Dashboards, and Connected Apps
- Configure Logout Page Settings
- Configure Session Settings for New User Email
Configure Session Timeout Settings
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- For Timeout Value, select the length of time after which the system logs out inactive users. For portal users, even though the actual timeout is between 10 minutes and 24 hours, you can only select a value between 15 minutes and 24 hours. Choose a shorter timeout period if you want to enforce stricter security for sensitive information.
- Select Disable session timeout warning popup to disable the timeout warning message for inactive users. When this parameter isn’t selected, a timeout warning message prompts inactive users 30 seconds before timeout, or as specified by the timeout value.
- Select Force logout on session timeout to invalidate timed-out sessions for inactive users. The browser refreshes and returns to the login page, and the user must log in again for access.
Configure Session Settings
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- Select Lock sessions to the IP address from which they originated to lock the IP address from which the user logged in. Locking the IP address helps to prevent unauthorized persons from hijacking a valid session.
- Select Lock sessions to the domain in which they were first used to associate a current UI session for a user, such as an Experience Site user, with a specific domain. This setting helps prevent unauthorized use of the session ID in another domain. This setting is enabled by default for Salesforce orgs created with the Spring ’15 release or later.
Configure Secure Connections (HTTPS) Settings
By default, Salesforce requires HTTPS connections and automatically upgrades HTTP requests to HTTPS via the HSTS header. HTTPS is also required for connections to third-party domains.
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- Select Force relogin after Login-As-User to require an admin who is logged in as another user to log in again after logging out as the other user. This setting is enabled by default.
- Select Require HttpOnly attribute to restrict session ID cookie access. A cookie with the HttpOnly attribute isn’t accessible through non-HTTP methods, such as calls from JavaScript.
- Select Use POST requests for cross-domain sessions to send session information using a POST request rather than a GET request for cross-domain exchanges. For example, when you use a Visualforce page, POST requests are more secure because they keep the session information in the body of the request. But if you enable this setting, sometimes embedded content from another domain, such as an image, doesn’t display.
- Select Enforce login IP ranges on every request to restrict the
IP addresses that users can gain access from to only the IP addresses define in Login IP
Ranges.
- If you enable this setting, login IP ranges are enforced on each page request, including requests from client applications.
- If you don’t enable this setting, login IP ranges are enforced only when a user logs in. This setting affects all user profiles that have login IP restrictions.
- For Login IP Ranges (for Contact, Manager, Group, and Professional editions only), if you selected Enforce login IP ranges on every request, specify a range of IP addresses that users must log in from (inclusive). To specify a range, click New and enter a Start IP Address and End IP Address to define the range, which includes the start and end values.
Configure Caching Settings
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- Select Enable caching and autocomplete on login page to allow a user’s browser to store usernames. If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher. This setting is enabled by default.
- Select Enable secure and persistent browser caching to improve performance to enable secure data caching in the browser. When selected, this setting improves page reload performance by avoiding extra round trips to the server. This setting is enabled by default.
- Select Enable user switching to display the Switcher when your users select their profile pictures. Deselect this setting to prevent your org from displaying in Switchers on other orgs. It also prevents your users from seeing the Switcher when they select their profile picture. This setting is enabled by default.
- Select Remember me until logout to delete cached usernames only
if the user explicitly logs out. If the session times out, usernames display on the
Switcher as inactive. So if users are on their own computer and allow a session to time
out, they can select the username to reauthenticate. But if they're on a shared computer,
the username is deleted immediately when the user logs out. This setting applies to all
your users.
If you don’t enable this setting (default), usernames are cached only while a session is active or a user selects Remember Me. This option isn't available for single sign-on sessions. When the session expires, the username disappears from the login page and the Switcher. Keep this setting disabled if authentication providers aren’t exposed on your login page.
- Select Enable Content Delivery Network (CDN) for Lightning Component framework to load Lightning Experience and other apps faster by enabling Akamai’s content delivery network (CDN) to serve the static content for Lightning Component framework. A CDN generally speeds up page load time, but it also changes the source domain that serves the files. If your company has IP range restrictions for content served from Salesforce, test thoroughly before enabling this setting. CDNs improve the load time of static content by storing cached versions in multiple geographic locations. This setting turns on CDN delivery for the static JavaScript and CSS in the Lightning Component framework. It doesn’t distribute your Salesforce data or metadata in a CDN.
Configure Clickjack Protection Settings
Configure clickjack protection settings for your Salesforce UI. Clickjacking is also called user interface redress attack. The Enable clickjack protection for Setup pages and Enable clickjack protection for non-Setup Salesforce pages settings are enabled by default to protect your Salesforce UI from clickjack attacks. To disable these settings, contact Salesforce Support.
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- Select Enable clickjack protection for customer Visualforce pages with
standard headers to protect against clickjack attacks on Visualforce pages
with headers enabled.
To allow iframes on trusted external domains, add these domains under to the Trusted Domains for Inline Frames list for your sites.
- Select Enable clickjack protection for customer Visualforce pages with headers disabled to protect against clickjack attacks on Visualforce pages with headers disabled (the showHeader="false" has been added to the page).
- To allow iframes on trusted external domains, take these steps.
- in the Trusted Domains for Inline Frames section on this page, click Add Domain.
- Enter the trusted external domains.
- Select Visualforce Pages as the iframe type.
- Save your changes.
Cross-Site Request Forgery Protection
Salesforce is automatically protected against Cross Site Request Forgery (CSRF) attacks. Your non-setup pages include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters. The application doesn’t execute the command unless the value found matches the expected value.
Configure Content Security Policy Protection
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- Select Override Restriction on Accessing Email Templates in Salesforce Classic Using Internet Explorer to override a specific security restriction on accessing email templates in Salesforce Classic from Internet Explorer.
- Select Enable Stricter Content Security Policy to prohibit the
use of the unsafe-inline source for the script-src directive.
The Lightning Component framework uses Content Security Policy (CSP), the W3C standard to control the source of content that can be loaded on a page. This setting mitigates the risk of cross-site scripting attacks. In the current release, this setting is always enabled and unsafe-inline is always prohibited, even if this setting appears to be disabled. We plan to remove the setting from Session Settings in a future release, as the restriction on unsafe inline JavaScript is always enforced.
Configure Extra Protection for Your Sessions
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- Select Enable XSS protection to protect against cross-site scripting attacks. If a reflected cross-site scripting attack is detected, the browser shows a blank page with no content.
- Select Enable Content Sniffing protection to prevent the browser from inferring the MIME type from the document content. This setting also prevents the browser from executing malicious files (JavaScript, Stylesheet) as dynamic content.
- Select Hide this site's URL from other web sites (including Visualforce pages) to show only Salesforce.com rather than the entire URL in the referred header when pages are loading. This setting eliminates the potential for a referrer header to reveal sensitive information that could be present in a full URL, such as an org ID. This setting works only with Chrome and Firefox.
- Select Warn users before they are redirected outside of Salesforce to display a warning message when users click links that take them outside the salesforce.com domain. The warning message includes the full link to the external URL and the domain name. Use this feature to protect your users from malicious URLs and phishing. In Lightning Experience, the warning message applies only to web tabs.
Configure Session Security Levels
You can restrict access to certain types of resources based on the security level associated with the authentication method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so that specified resources are available only to users assigned a High Assurance level.
For sensitive operations, always require a High Assurance level of security or block users. If users already have a High Assurance session after logging in, they aren’t prompted to reverify their identity in the same session. This requirement applies even if you require High Assurance for these operations.
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- From Session Security Levels, select the login method.
Type Default Session Security Level Description Username and Password Standard Users log in by providing a username and password on a login page. Delegated Authentication Standard Users log in by providing a username and a password that is validated using a callout to a delegated authentication endpoint. Activation Standard Users verify their identity when accessing Salesforce from a new browser or device. Lightning Login Standard Internal users log in by using Salesforce Authenticator instead of a password. Passwordless Login Standard Experience Cloud users log in by providing a verification code instead of a password. Multi-Factor Authentication High Assurance Users complete a multi-factor authentication (MFA) challenge to access a resource. For example, a user must complete MFA when accessing a report that requires a High Assurance level with the Raise session level policy. Authentication Provider Standard Users log in to Salesforce using their login credentials from a third-party service provider. SAML Standard Users are authenticated using the SAML protocol for single sign-on. - To move the method to the proper category, click Add or Remove.
Configure High Assurance Sessions for Reports, Dashboards, and Connected Apps
- Block—Prevents access to the resource by showing an insufficient privileges error.
- Raise session level—Prompts users to complete MFA. When users authenticate successfully, they can access the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print them.
Session levels have no impact on resources in the app other than connected apps, reports, and dashboards that have defined security policies.
For information about requiring High Assurance when accessing a connected app, see Manage Session Policies for a Connected App.
- From Setup, in the Quick Find box, enter Access Policies, then select Access Policies.
- Select High Assurance session required.
- Select an option to block access to reports and dashboards or to raise the session level to high assurance.
- Save your changes.
For more information, see Require High Assurance Session Security for Sensitive Operations
Configure Logout Page Settings
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- For Logout URL, enter the URL for the page to redirect users to
after they log out of Salesforce. For example, enter the URL for an authentication
provider’s page or a customer-branded page.
This redirect logout URL is used only if no logout URL is specified in the identity provider, SAML single sign-on, or third-party authentication provider settings. If you don’t provide a logout URL, the default is https://login.salesforce.com, unless MyDomain is enabled. If My Domain is enabled, the default is https://MyDomainName.my.salesforce.com.
- Select Store the redirect logout URL in your local browser to
redirect all expired tabs in your browser to your custom logout URL. Before enabling this
setting, review these considerations.
- You must first enable My Domain to use this setting.
- This setting uses the browser’s local storage to store the custom logout URL.
- Verify that this setting doesn’t interfere with your custom login integrations.
Configure Session Settings for New User Email
- From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
- For Link expires in, select the amount of time that the account
verification link in welcome emails to new users is valid. You can select 1, 7, or 180
days. By default, account verification links expire after 7 days.
When you update this setting, the change applies to links in welcome emails that were already sent. For example, you sent a welcome email 2 days ago with the link set to expire in 7 days. If you update the setting so that links expire in 1 day, the link in the email you sent 2 days ago is no longer valid.