Newer Version Available

This content describes an older version of this product. View Latest

Modify Session Security Settings

Use the Session Settings screen to configure session security. You can configure settings such as the session connection type, timeout restrictions, and IP address ranges to protect against malicious attacks.
Available in: Lightning Experience and Salesforce Classic (not available in all orgs)

The Lock sessions to the IP address from which they originated setting is available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

All other settings available in: Essentials, Personal, Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions


User Permissions Needed
To modify session security settings: Customize Application

Identity verification settings are also available on the Identity Verification page. You can change identity verification settings in either location. For information about configuring these settings, see Define Identity Verification Settings for Your Orgs and Experience Cloud Sites.

Note

Configure Session Timeout Settings

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. For Timeout Value, select the length of time after which the system logs out inactive users. For portal users, even though the actual timeout is between 10 minutes and 24 hours, you can only select a value between 15 minutes and 24 hours. Choose a shorter timeout period if you want to enforce stricter security for sensitive information.

    The last active session time value isn’t updated until halfway through the timeout period. So if you have a 30-minute timeout, the system checks for activity after 15 minutes. If you update a record after 20 minutes, your timeout resets because it’s 5 minutes after the active session time is checked. In that scenario, you have another 30 minutes before logout occurs, for a total of 50 minutes. But if you update a record after 10 minutes, logout occurs 20 minutes later (30 minutes total) because there was no activity in the past 15 minutes.

    Note

  3. Select Disable session timeout warning popup to disable the timeout warning message for inactive users. When this parameter isn’t selected, a timeout warning message prompts inactive users 30 seconds before timeout, or as specified by the timeout value.
  4. Select Force logout on session timeout to invalidate timed-out sessions for inactive users. The browser refreshes and returns to the login page, and the user must log in again for access.

    When using this setting, don’t select Disable session timeout warning popup.

    Note

Configure Session Settings

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. Select Lock sessions to the IP address from which they originated to lock the IP address from which the user logged in. Locking the IP address helps to prevent unauthorized persons from hijacking a valid session.

    This setting can inhibit various applications and mobile devices.

    Note

  3. Select Lock sessions to the domain in which they were first used to associate a current UI session for a user, such as an Experience Site user, with a specific domain. This setting helps prevent unauthorized use of the session ID in another domain. This setting is enabled by default for Salesforce orgs created with the Spring ’15 release or later.

Configure Secure Connections (HTTPS) Settings

By default, Salesforce requires HTTPS connections and automatically upgrades HTTP requests to HTTPS via the HSTS header. HTTPS is also required for connections to third-party domains.

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. Select Force relogin after Login-As-User to require an admin who is logged in as another user to log in again after logging out as the other user. This setting is enabled by default.
  3. Select Require HttpOnly attribute to restrict session ID cookie access. A cookie with the HttpOnly attribute isn’t accessible through non-HTTP methods, such as calls from JavaScript.

    If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.

    Note

  4. Select Use POST requests for cross-domain sessions to send session information using a POST request rather than a GET request for cross-domain exchanges. For example, when you use a Visualforce page, POST requests are more secure because they keep the session information in the body of the request. But if you enable this setting, sometimes embedded content from another domain, such as an image, doesn’t display.
  5. Select Enforce login IP ranges on every request to restrict the IP addresses that users can gain access from to only the IP addresses define in Login IP Ranges.
    • If you enable this setting, login IP ranges are enforced on each page request, including requests from client applications.
    • If you don’t enable this setting, login IP ranges are enforced only when a user logs in. This setting affects all user profiles that have login IP restrictions.
  6. For Login IP Ranges (for Contact, Manager, Group, and Professional editions only), if you selected Enforce login IP ranges on every request, specify a range of IP addresses that users must log in from (inclusive). To specify a range, click New and enter a Start IP Address and End IP Address to define the range, which includes the start and end values.

    This field isn’t available in Enterprise, Unlimited, Performance, and Developer editions. In those editions, you can specify a valid Login IP Range in the user profile settings.

    Note

Configure Caching Settings

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. Select Enable caching and autocomplete on login page to allow a user’s browser to store usernames. If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher. This setting is enabled by default.

    To improve security, we recommend that you disable this setting. After you disable it, the Remember me option doesn’t appear on your login page or from the Switcher.

    Note

  3. Select Enable secure and persistent browser caching to improve performance to enable secure data caching in the browser. When selected, this setting improves page reload performance by avoiding extra round trips to the server. This setting is enabled by default.

    Disabling secure and persistent browser caching has a significant negative performance impact on Lightning Experience. Only disable in the following scenarios:

    • Your company’s policy doesn’t allow browser caching, even if the data is encrypted.
    • During development in a sandbox or Developer Edition, you want to see the effect of any code changes without emptying the secure cache.

    Warning

  4. Select Enable user switching to display the Switcher when your users select their profile pictures. Deselect this setting to prevent your org from displaying in Switchers on other orgs. It also prevents your users from seeing the Switcher when they select their profile picture. This setting is enabled by default.

    To enable the Enable user switching setting, you must also enable the Enable caching and autocomplete on login page setting.

    Note

  5. Select Remember me until logout to delete cached usernames only if the user explicitly logs out. If the session times out, usernames display on the Switcher as inactive. So if users are on their own computer and allow a session to time out, they can select the username to reauthenticate. But if they're on a shared computer, the username is deleted immediately when the user logs out. This setting applies to all your users.

    If you don’t enable this setting (default), usernames are cached only while a session is active or a user selects Remember Me. This option isn't available for single sign-on sessions. When the session expires, the username disappears from the login page and the Switcher. Keep this setting disabled if authentication providers aren’t exposed on your login page.

  6. Select Enable Content Delivery Network (CDN) for Lightning Component framework to load Lightning Experience and other apps faster by enabling Akamai’s content delivery network (CDN) to serve the static content for Lightning Component framework. A CDN generally speeds up page load time, but it also changes the source domain that serves the files. If your company has IP range restrictions for content served from Salesforce, test thoroughly before enabling this setting. CDNs improve the load time of static content by storing cached versions in multiple geographic locations. This setting turns on CDN delivery for the static JavaScript and CSS in the Lightning Component framework. It doesn’t distribute your Salesforce data or metadata in a CDN.

Configure Clickjack Protection Settings

Configure clickjack protection settings for your Salesforce UI. Clickjacking is also called user interface redress attack. The Enable clickjack protection for Setup pages and Enable clickjack protection for non-Setup Salesforce pages settings are enabled by default to protect your Salesforce UI from clickjack attacks. To disable these settings, contact Salesforce Support.

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. Select Enable clickjack protection for customer Visualforce pages with standard headers to protect against clickjack attacks on Visualforce pages with headers enabled.

    To allow iframes on trusted external domains, add these domains under to the Trusted Domains for Inline Frames list for your sites.

  3. Select Enable clickjack protection for customer Visualforce pages with headers disabled to protect against clickjack attacks on Visualforce pages with headers disabled (the showHeader="false" has been added to the page).
  4. To allow iframes on trusted external domains, take these steps.
    1. in the Trusted Domains for Inline Frames section on this page, click Add Domain.
    2. Enter the trusted external domains.
    3. Select Visualforce Pages as the iframe type.
    4. Save your changes.

Cross-Site Request Forgery Protection

Salesforce is automatically protected against Cross Site Request Forgery (CSRF) attacks. Your non-setup pages include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters. The application doesn’t execute the command unless the value found matches the expected value.

Configure Content Security Policy Protection

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. Select Override Restriction on Accessing Email Templates in Salesforce Classic Using Internet Explorer to override a specific security restriction on accessing email templates in Salesforce Classic from Internet Explorer.

    We strongly recommend against enabling this setting. Internet Explorer doesn’t meet Salesforce’s required level of browser security protection. Enabling this setting makes your users vulnerable to malicious third-party attempts to access your data.

    Warning

  3. Select Enable Stricter Content Security Policy to prohibit the use of the unsafe-inline source for the script-src directive.

    The Lightning Component framework uses Content Security Policy (CSP), the W3C standard to control the source of content that can be loaded on a page. This setting mitigates the risk of cross-site scripting attacks. In the current release, this setting is always enabled and unsafe-inline is always prohibited, even if this setting appears to be disabled. We plan to remove the setting from Session Settings in a future release, as the restriction on unsafe inline JavaScript is always enforced.

Configure Extra Protection for Your Sessions

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. Select Enable XSS protection to protect against cross-site scripting attacks. If a reflected cross-site scripting attack is detected, the browser shows a blank page with no content.
  3. Select Enable Content Sniffing protection to prevent the browser from inferring the MIME type from the document content. This setting also prevents the browser from executing malicious files (JavaScript, Stylesheet) as dynamic content.
  4. Select Hide this site's URL from other web sites (including Visualforce pages) to show only Salesforce.com rather than the entire URL in the referred header when pages are loading. This setting eliminates the potential for a referrer header to reveal sensitive information that could be present in a full URL, such as an org ID. This setting works only with Chrome and Firefox.
  5. Select Warn users before they are redirected outside of Salesforce to display a warning message when users click links that take them outside the salesforce.com domain. The warning message includes the full link to the external URL and the domain name. Use this feature to protect your users from malicious URLs and phishing. In Lightning Experience, the warning message applies only to web tabs.

Configure Session Security Levels

You can restrict access to certain types of resources based on the security level associated with the authentication method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so that specified resources are available only to users assigned a High Assurance level.

For sensitive operations, always require a High Assurance level of security or block users. If users already have a High Assurance session after logging in, they aren’t prompted to reverify their identity in the same session. This requirement applies even if you require High Assurance for these operations.

To change the security level associated with a login method, take these steps.
  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. From Session Security Levels, select the login method.
    Type Default Session Security Level Description
    Username and Password Standard Users log in by providing a username and password on a login page.
    Delegated Authentication Standard Users log in by providing a username and a password that is validated using a callout to a delegated authentication endpoint.
    Activation Standard Users verify their identity when accessing Salesforce from a new browser or device.
    Lightning Login Standard Internal users log in by using Salesforce Authenticator instead of a password.
    Passwordless Login Standard Experience Cloud users log in by providing a verification code instead of a password.
    Multi-Factor Authentication High Assurance Users complete a multi-factor authentication (MFA) challenge to access a resource. For example, a user must complete MFA when accessing a report that requires a High Assurance level with the Raise session level policy.

    Be careful about changing the security level of MFA to Standard. If MFA has a Standard security level, but the user profile setting, Session security level required at login, requires a High Assurance session security level, the user can’t log in. User access is blocked when the High Assurance requirement isn’t met.

    Warning

    Authentication Provider Standard Users log in to Salesforce using their login credentials from a third-party service provider.
    SAML Standard Users are authenticated using the SAML protocol for single sign-on.

    The security level for a SAML session can also be specified using the SessionLevel attribute of the SAML assertion sent by the identity provider. The attribute can take one of two values, STANDARD or HIGH_ASSURANCE.

    Note

  3. To move the method to the proper category, click Add or Remove.

Configure High Assurance Sessions for Reports, Dashboards, and Connected Apps

You also can set policies requiring High Assurance on reports, dashboards, and connected apps. And you can specify an action to take when the session that’s used to access the resource isn’t High Assurance. These actions are supported:
  • Block—Prevents access to the resource by showing an insufficient privileges error.
  • Raise session level—Prompts users to complete MFA. When users authenticate successfully, they can access the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print them.

Raising the session level to High Assurance by redirecting the user to complete MFA isn’t a supported action in Lightning Experience. If you enable Lightning Experience and set the High Assurance session policy requirement, Lightning Experience users with a standard session are blocked from reports and dashboards. Also, they don’t see the icons for these resources in the navigation menu. As a workaround, users with a Standard Assurance session can log out and log in again using an authentication method that is defined as High Assurance for their org. Then they can access reports and dashboards. Or they can switch to Salesforce Classic, where they’re prompted to raise the session level when they attempt to access reports and dashboards.

Warning

Session levels have no impact on resources in the app other than connected apps, reports, and dashboards that have defined security policies.

For information about requiring High Assurance when accessing a connected app, see Manage Session Policies for a Connected App.

To require a High Assurance policy when accessing reports and dashboards, take these steps.
  1. From Setup, in the Quick Find box, enter Access Policies, then select Access Policies.
  2. Select High Assurance session required.
  3. Select an option to block access to reports and dashboards or to raise the session level to high assurance.
  4. Save your changes.

For more information, see Require High Assurance Session Security for Sensitive Operations

Configure Logout Page Settings

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. For Logout URL, enter the URL for the page to redirect users to after they log out of Salesforce. For example, enter the URL for an authentication provider’s page or a customer-branded page.

    This redirect logout URL is used only if no logout URL is specified in the identity provider, SAML single sign-on, or third-party authentication provider settings. If you don’t provide a logout URL, the default is https://login.salesforce.com, unless MyDomain is enabled. If My Domain is enabled, the default is https://MyDomainName.my.salesforce.com.

  3. Select Store the redirect logout URL in your local browser to redirect all expired tabs in your browser to your custom logout URL. Before enabling this setting, review these considerations.
    • You must first enable My Domain to use this setting.
    • This setting uses the browser’s local storage to store the custom logout URL.
    • Verify that this setting doesn’t interfere with your custom login integrations.

Configure Session Settings for New User Email

  1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  2. For Link expires in, select the amount of time that the account verification link in welcome emails to new users is valid. You can select 1, 7, or 180 days. By default, account verification links expire after 7 days.

    When you update this setting, the change applies to links in welcome emails that were already sent. For example, you sent a welcome email 2 days ago with the link set to expire in 7 days. If you update the setting so that links expire in 1 day, the link in the email you sent 2 days ago is no longer valid.