Session Security

After logging in, a user establishes a session with the platform. Use session security to limit exposure to your network when a user leaves their computer unattended while still logged on. It also limits the risk of internal attacks, such as when one employee tries to use another employee’s session.

You can control the session expiration time window for user logins. Session expiration allows you to select a timeout for user sessions. The default session timeout is two hours of inactivity. When the session timeout is reached, users are prompted with a dialog that allows them to log out or continue working. If they do not respond to this prompt, they are automatically logged out.

By default, Salesforce uses SSL (Secure Sockets Layer) and requires secure connections (HTTPS) for all communication. The Require secure connections (HTTPS) setting determines whether SSL (HTTPS) is required for access to Salesforce, apart from Force.com sites, which can still be accessed using HTTP. If you ask salesforce.com to disable this setting and change the URL from https:// to http://, you can still access the application. However, you should require all sessions to use SSL for added security. See Setting Session Security.

You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so specified resources are only available to users with a High Assurance level. For details, see Session-level Security.