| Timeout value |
Length of time after which the system logs out inactive users. For Portal
users, the timeout is between 10 minutes and 12 hours even though you can only set
it as low as 15 minutes. Select a value between 15 minutes and 12 hours. Choose a
shorter timeout period if your organization has sensitive information and you want
to enforce stricter security.The last active session time value isn’t
updated until halfway through the timeout period. So if you have a 30-minute
timeout, the system doesn’t check for activity until 15 minutes have
passed. For example, if you update a record after 10 minutes, the last active
session time value isn’t updated because there was no activity after 15 minutes.
You’re logged out in 20 more minutes (30 minutes total), because the last
active session time wasn’t updated. Suppose that you update a record
after 20 minutes. That’s 5 minutes after the last active session time is
checked. Your timeout resets, and you have another 30 minutes before being
logged out, for a total of 50 minutes.
|
| Disable session timeout warning popup |
Determines whether the system prompts inactive users with a timeout warning
message. Users are prompted 30 seconds before timeout as specified by the
Timeout value. |
| Force logout on session timeout |
Requires that when sessions time out for inactive
users, current sessions become invalid. The browser refreshes and returns to the
login page. To access the organization, the user must log in again.Do
not select Disable session timeout warning popup
when enabling this option.
|
| Lock sessions to the IP address
from which they originated |
Determines whether user sessions are locked to the IP address from which the
user logged in, helping to prevent unauthorized persons from hijacking a valid
session.This option can inhibit various applications and mobile
devices.
|
| Lock sessions to the domain in which
they were first used |
Associates a current UI session for a
user, such as a community user,
with a specific domain to help prevent unauthorized use of the session ID in
another domain. This preference is enabled by default for organizations created
with the Spring ’15 release or later. |
| Require secure connections
(HTTPS) |
Determines whether HTTPS is required to log in to or access Salesforce, apart from Force.com sites, which can still be accessed using
HTTP. This option is enabled by default for security reasons.
The Resetting Passwords for Your Users page can only be accessed using HTTPS.
|
| Force relogin after Login-As-User |
Determines whether an administrator who is logged in as another user is
returned to their previous session after logging out as the secondary user. If the option is enabled, an administrator must
log in again to continue using Salesforce after logging out as the
user; otherwise, the administrator is returned to the original session after
logging out as the user.
This
option is enabled by default for new organizations beginning with the Summer
‘14 release.
|
| Require HttpOnly attribute |
Restricts session ID cookie access. A cookie with the HttpOnly attribute is
not accessible via non-HTTP methods, such as calls from JavaScript.If you have a custom or packaged application that uses
JavaScript to access session ID cookies, selecting Require HttpOnly
attribute breaks your application because it denies the
application access to the cookie. If Require HttpOnly
attribute is selected, the AJAX Toolkit debugging
window is not available.
|
| Use POST requests for cross-domain sessions |
Sets the organization to send session information using a POST request,
instead of a GET request, for cross-domain exchanges, such as when a user is using
a Visualforce page. In this context,
POST requests are more secure than GET requests, because POST requests keep the
session information in the body of the request. However, if you enable this
setting, embedded content from another domain, such
as:1<img src="https://acme.force.com/pic.jpg"/>
might not display. |
| Enforce login IP ranges on every request |
Restricts the IP addresses from which users can access Salesforce to only the IP addresses
defined in Login IP Ranges. If this option is enabled, login IP ranges are
enforced on each page request, including requests from client applications. If
this option is not enabled, login IP ranges are enforced only when a user logs in.
This option affects all user profiles that have login IP restrictions. |
| Enable caching and password autocomplete on login
page |
Allows the user’s browser to store usernames. If enabled, after an
initial login, usernames are auto-filled into the User Name
field on the login page. This preference is selected by default and caching and
autocomplete are enabled. |
| Enable the SMS method of identity confirmation |
Allows users to receive a one-time PIN delivered via SMS. If this option is
selected, administrators or users must verify their mobile phone number before
taking advantage of this feature. This setting is selected by default for all
organizations.
|
| Require security tokens for API logins from callouts (API version
31.0 and earlier) |
Requires the use of security tokens for API logins from callouts, such as Apex callouts or callouts
using the AJAX proxy, in API version 31.0 and earlier. In API version 32.0 and
later, security tokens are required by default. |
|
Login IP Ranges (for Contact Manager, Group, and Professional
Editions) |
Specifies a range of IP addresses users must log in from (inclusive), or the
login fails. To specify a range, click New and enter a
Start IP Address and End IP Address to define the range, which includes the
start and end values.
This field is not available in Enterprise,
Unlimited, Performance, and
Developer Editions. In those editions, you can specify a valid Login IP Range in
the user profile settings.
|
| Enable clickjack protection for Setup pages |
Protects against clickjack attacks on setup Salesforce pages. Clickjacking is also known as a user
interface redress attack. (Setup pages are available from the Setup
menu.) |
| Enable clickjack protection for non-Setup Salesforce pages |
Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking is also known as a user
interface redress attack. Setup pages
already include protection against clickjack attacks. (Setup pages are available
from the Setup menu.) This setting is selected by default for all
organizations.
|
| Enable clickjack protection for customer Visualforce pages with standard
headers |
Protects against clickjack attacks on your Visualforce pages with headers enabled.
Clickjacking is also known as a user
interface redress attack.
If you
use custom Visualforce pages within
a frame or iframe, you might see a blank page or the page may display without
the frame. For example, Visualforce
pages in a page layout do not function when clickjack protection is
on.
|
| Enable clickjack protection for customer Visualforce pages with headers
disabled |
Protects against clickjack attacks on your Visualforce pages with headers disabled
when setting showHeader="false" on the
page. Clickjacking is also known as a user
interface redress attack.
If you
use custom Visualforce pages within
a frame or iframe, you might see a blank page or the page may display without
the frame. For example, Visualforce
pages in a page layout do not function when clickjack protection is
on.
|
| Enable CSRF protection on GET requests on non-setup
pages |
Protects against Cross Site Request Forgery
(CSRF) attacks by modifying non-setup pages to include a random string of
characters in the URL parameters or as a hidden form field. With every GET and
POST request, the application checks the validity of this string of characters and
doesn’t execute the command unless the value found matches the expected
value. This setting is selected by default for all
organizations.
|
| Enable CSRF protection on POST requests on non-setup
pages |
| Logout URL |
Redirects users to a specific page after they log out of Salesforce, such as an
authentication provider’s page or a custom-branded page. This URL is used only if
no logout URL is specified in the identity provider, SAML single sign-on, or
external authentication provider settings. If no value is specified for
Logout URL, the default is
https://login.salesforce.com, unless MyDomain is enabled.
If My Domain is enabled, the default is
https://customdomain.my.salesforce.com. |