| Timeout value |
Length of time after which the system logs out inactive users.
For Portal users, the timeout is between 10 minutes and 12 hours even
though you can only set it as low as 15 minutes. Select a value between
15 minutes and 12 hours. Choose a shorter timeout period if your organization
has sensitive information and you want to enforce stricter security.The last active session time value isn’t updated until halfway
through the timeout period. That is, if you have a 30 minute timeout,
the system won’t check for activity until 15 minutes have passed.
For example, assume you have a 30 minute timeout value. If you update
a record after 10 minutes, the last active session time value won’t
be updated because there was no activity after 15 minutes. You’ll
be logged out in 20 more minutes (30 minutes total) because the last
active session time wasn’t updated. Suppose you update a record
after 20 minutes. That’s five minutes after the last active
session time is checked, so your timeout resets and you have another
30 minutes before being logged out, for a total of 50 minutes.
|
| Disable session timeout warning popup |
Determines whether the system prompts inactive users with a
timeout warning message. Users are prompted 30 seconds before timeout
as specified by the Timeout value. |
| Force logout on session timeout |
Requires that when sessions time out
for inactive users, current sessions become invalid. Browsers are
automatically refreshed and return to the login page. To access the
organization again when this occurs, users must log in again.Do not select Disable session timeout warning
popup when enabling this option.
|
| Lock sessions to
the IP address from which they originated |
Determines whether user sessions are locked to the IP address
from which the user logged in; helping to prevent unauthorized persons
from hijacking a valid session.This may inhibit various applications
and mobile devices.
|
| Require secure connections
(HTTPS) |
Determines whether HTTPS is required to log in to or access Salesforce, apart from Force.com sites,
which can still be accessed using HTTP. This option is enabled by default for security reasons.
The Resetting Passwords for Your Users page can only be accessed using HTTPS.
|
| Force relogin after Login-As-User |
Determines whether an administrator who is logged in as another
user is returned to their previous session after logging out as the
secondary user. If the option is
enabled, an administrator must log in again to continue using Salesforce after logging
out as the user; otherwise, the administrator is returned to the original
session after logging out as the user. This
option is enabled by default for new organizations beginning with
the Summer ‘14 release.
|
| Require HttpOnly attribute |
Restricts session ID cookie access. A cookie with the HttpOnly
attribute is not accessible via non-HTTP methods, such as calls from
JavaScript.If you have a custom or
packaged application that uses JavaScript to access session ID cookies,
selecting Require HttpOnly attribute breaks your
application because it denies the application access to the cookie.
The Developer Console and AJAX Toolkit debugging window are also not available if the Require
HttpOnly attribute is selected.
|
| Use POST requests for cross-domain sessions |
Sets the organization to send session information using a POST request, instead of a GET
request, for cross-domain exchanges, such as when a user is using a Visualforce page. In this context, POST
requests are more secure than GET requests, because POST requests keep the session
information in the body of the request. However, if you enable this setting,
embedded content from another domain, such
as:1<img src="https://acme.force.com/pic.jpg"/>
might not display. |
| Enable caching and password autocomplete on login
page |
Allows the user’s browser to store usernames. If enabled,
after an initial log in, usernames are auto-filled into the User Name field on the login page. This preference is
selected by default and caching and autocomplete are enabled. |
| Enable SMS-based identity confirmation |
Enables users to receive a one-time PIN delivered via SMS.
Once enabled, administrators or users must verify their mobile phone
number before taking advantage of this feature. This setting is selected by default for all
organizations. |
| Require security tokens for API logins from callouts (API version 31.0 and
earlier) |
Requires the use of security tokens for API logins from callouts, such as Apex callouts or callouts
using the AJAX proxy, in API version 31.0 and earlier. In API version 32.0 and
later, security tokens are required by default. |
| Login IP Ranges (for Contact Manager, Group, and Professional
Editions) |
Specifies a range of IP addresses users must log in from (inclusive), or the login will fail.
To specify a range, click New and enter a Start IP
Address and End IP Address to define the range, which includes the start and end
values.
This field is not available in Enterprise, Unlimited, Performance, and Developer
Editions. In those editions, you can specify a valid Login IP Range in the user
profile settings.
|
| Enable clickjack protection for setup pages |
Protects against clickjack attacks on setup Salesforce pages. Clickjacking
is also known as a user interface redress attack. (Setup pages are
available from the Setup menu.) |
| Enable clickjack protection for non-setup Salesforce pages |
Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking
is also known as a user interface redress attack. Setup pages already
include protection against clickjack attacks. (Setup pages are available
from the Setup menu.) This setting is selected by default for all
organizations. |
| Enable clickjack protection for non-setup customer Visualforce pages |
Protects against clickjack attacks on your Visualforce pages. Clickjacking
is also known as a user interface redress attack. If you use custom Visualforce pages within a frame or iframe, you may see a blank page or
the page may display without the frame. For example, Visualforce pages in a
page layout do not function when clickjack protection is on.
|
| Enable CSRF protection on GET requests on non-setup
pages |
Protects against Cross Site Request
Forgery (CSRF) attacks by modifying non-setup pages to include a random
string of characters in the URL parameters or as a hidden form field.
With every GET and POST request, the application checks the validity
of this string of characters and doesn’t execute the command
unless the value found matches the value expected. This setting is selected by default for all
organizations. |
| Enable CSRF protection on POST requests on non-setup
pages |