Newer Version Available

This content describes an older version of this product. View Latest

Modify Session Security Settings

You can modify session security settings to specify session connection type, timeout settings, and IP address ranges to protect against malicious attacks and more.
Available in: Both Salesforce Classic and Lightning Experience

The Lock sessions to the IP address from which they originated setting is available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

All other settings available in: Essentials, Personal, Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions


User Permissions Needed
To modify session security settings: Customize Application
  1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  2. Customize the session security settings.
    Field Description
    Timeout value Length of time after which the system logs out inactive users. For Portal users, the timeout is between 10 minutes and 24 hours even though you can only set it as low as 15 minutes. Select a value between 15 minutes and 24 hours. Choose a shorter timeout period if your org has sensitive information and you want to enforce stricter security.

    The last active session time value isn’t updated until halfway through the timeout period. So if you have a 30-minute timeout, the system doesn’t check for activity until 15 minutes have passed. For example, if you update a record after 10 minutes, the last active session time value isn’t updated because there was no activity after 15 minutes. You’re logged out in 20 more minutes (30 minutes total), because the last active session time wasn’t updated. Suppose that you update a record after 20 minutes. That’s 5 minutes after the last active session time is checked. Your timeout resets, and you have another 30 minutes before being logged out, for a total of 50 minutes.

    Note

    Disable session timeout warning popup Determines whether the system prompts inactive users with a timeout warning message. Users are prompted 30 seconds before timeout as specified by the Timeout value.
    Force logout on session timeout Requires that when sessions time out for inactive users, current sessions become invalid. The browser refreshes and returns to the login page. To access the org, the user must log in again.

    Do not select Disable session timeout warning popup when using this setting.

    Note

    Lock sessions to the IP address from which they originated Determines whether user sessions are locked to the IP address from which the user logged in, helping to prevent unauthorized persons from hijacking a valid session.

    This setting can inhibit various applications and mobile devices.

    Note

    Lock sessions to the domain in which they were first used Associates a current UI session for a user, such as a community user, with a specific domain. The setting helps prevent unauthorized use of the session ID in another domain. This setting is enabled by default for orgs created with the Spring ’15 release or later.
    Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce.

    This setting is enabled by default for security reasons. This setting does not apply to API requests. All API requests require HTTPS.

    To enable HTTPS on communities and Force.com sites see: HSTS for Sites and Communities

    The Reset Passwords for Your Users page can only be accessed using HTTPS.

    Note

    Require secure connections (HTTPS) for all third-party domains Determines whether HTTPS is required for connecting to third-party domains.

    This setting is enabled by default on accounts created after the Summer ’17 release.

    Force relogin after Login-As-User Determines whether an administrator who is logged in as another user is returned to their previous session after logging out as the secondary user.

    If the setting is enabled, an administrator must log in again to continue using Salesforce after logging out as the user. Otherwise, the administrator is returned to the original session after logging out as the user. This setting is enabled by default for new orgs beginning with the Summer ’14 release.

    Require HttpOnly attribute Restricts session ID cookie access. A cookie with the HttpOnly attribute is not accessible via non-HTTP methods, such as calls from JavaScript.

    If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. If Require HttpOnly attribute is selected, the AJAX Toolkit debugging window isn’t available.

    Note

    Use POST requests for cross-domain sessions Sets the org to send session information using a POST request, instead of a GET request, for cross-domain exchanges. An example of a cross-domain exchange is when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests because POST requests keep the session information in the body of the request. However, if you enable this setting, embedded content from another domain, such as:
    1<img
    2                    src="https://acme.force.com/pic.jpg"/>
    sometimes doesn’t display.
    Enforce login IP ranges on every request Restricts the IP addresses from which users can access Salesforce to only the IP addresses defined in Login IP Ranges. If this setting is enabled, login IP ranges are enforced on each page request, including requests from client applications. If this setting isn’t enabled, login IP ranges are enforced only when a user logs in. This setting affects all user profiles that have login IP restrictions.
    Enable caching and autocomplete on login page Allows the user’s browser to store usernames. If enabled, after initial login, usernames are auto-filled into the Username field on the login page. If the user selected Remember me on the login page, the username persists after the session expires or the user logs out. The username also appears on the Switcher. This setting is selected by default for all orgs.

    If you disable this setting, the Remember me option doesn’t appear on your org’s login page or from the Switcher.

    Note

    Enable secure and persistent browser caching to improve performance Enables secure data caching in the browser to improve page reload performance by avoiding extra round trips to the server. This setting is selected by default for all orgs.

    We don’t recommend disabling this setting. However, if your company’s policy doesn’t allow browser caching even if the data is encrypted, you can disable it.

    Disabling this setting has a significant, negative performance impact on Lightning Experience.

    Warning

    Enable user switching Determines whether the Switcher appears when your org’s users select their profile picture. This setting is selected by default for all organizations. The Enable caching and autocomplete on login page setting must also be enabled. Deselect the Enable user switching setting to prevent your org from appearing in Switchers on other orgs. It also prevents your org users from seeing the Switcher when they select their profile picture.
    Remember until logout

    Normally, usernames are cached only while a session is active or if a user selects Remember Me. For SSO sessions, the remember option isn't available. So, once the session expires, the username disappears from the login page and the Switcher. By enabling Remember me until logout, the cached usernames are deleted only if the user explicitly logs out. If the session times out, they appear on the Switcher as inactive. This way, if the users are on their own computer and allow a session to timeout, they can select the username to reauthenticate. If they're on a shared computer, the username is deleted immediately when the user logs out.

    This setting applies to all your org’s users. This option isn't enabled by default. However, we encourage you to enable it as a convenience to your users. Keep this setting disabled if your org doesn't expose all your SSO or authentication providers on your login page.

    Enable the SMS method of identity confirmation Allows users to receive a one-time PIN delivered via SMS. If this setting is selected, administrators or users must verify their mobile phone number before taking advantage of this feature. This setting is selected by default for all orgs.
    Require security tokens for API logins from callouts (API version 31.0 and earlier) In API version 31.0 and earlier, requires the use of security tokens for API logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.
    Login IP Ranges (for Contact Manager, Group, and Professional Editions) Specifies a range of IP addresses users must log in from (inclusive), or the login fails.

    To specify a range, click New and enter a Start IP Address and End IP Address to define the range, which includes the start and end values.

    This field is not available in Enterprise, Unlimited, Performance, and Developer Editions. In those editions, you can specify a valid Login IP Range in the user profile settings.

    Let users use a security key (U2F) Allows users to use a U2F security key for two-factor authentication and identity verification. Instead of using Salesforce Authenticator, a one-time password generated by an authenticator app, or one-time passwords sent by email or SMS, users insert their registered U2F security key into a USB port to complete verification.
    Require identity verification during two-factor authentication registration Requires users to confirm their identities to add a two-factor authentication method, such as Salesforce Authenticator, instead of requiring a relogin as before.
    Require identity verification for change of email address

    Requires users to confirm their identities to change email addresses instead of requiring a relogin as before.

    To get the emails to confirm identity, make sure that users have access to their previously registered email accounts.

    Note

    Allow location-based automated verifications with Salesforce Authenticator
    • Allow only from trusted IP addresses
    Allows users to verify identity by automatically approving notifications in Salesforce Authenticator, whenever users are in trusted locations such as a home or office. If you allow automated verifications, you can allow them from any location or restrict them to only trusted IP addresses, such as your corporate network.
    Allow Lightning Login Allows users to use Lightning Login for password-free Salesforce logins, relying on Salesforce Authenticator for identity verification.
    Enable clickjack protection for Setup pages Protects against clickjack attacks on setup Salesforce pages. Clickjacking is also known as a user interface redress attack. (Setup pages are available from the Setup menu.)
    Enable clickjack protection for non-Setup Salesforce pages Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking is also known as a user interface redress attack. Setup pages already include protection against clickjack attacks. (Setup pages are available from the Setup menu.) This setting is selected by default for all orgs.
    Enable clickjack protection for customer Visualforce pages with standard headers Protects against clickjack attacks on your Visualforce pages with headers enabled. Clickjacking is also known as a user interface redress attack.

    If you use custom Visualforce pages within a frame or iframe, you sometimes see a blank page or the page displays without the frame. For example, Visualforce pages in a page layout don’t function when clickjack protection is on.

    Warning

    Enable clickjack protection for customer Visualforce pages with headers disabled Protects against clickjack attacks on your Visualforce pages with headers disabled when setting showHeader="false" on the page. Clickjacking is also known as a user interface redress attack.

    If you use custom Visualforce pages within a frame or iframe, you sometimes see a blank page or the page displays without the frame. For example, Visualforce pages in a page layout don’t function when clickjack protection is on.

    Warning

    Enable CSRF protection on GET requests on non-setup pages Protects against Cross Site Request Forgery (CSRF) attacks by modifying non-Setup pages. Non-Setup pages include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters. The application doesn’t execute the command unless the value found matches the expected value. This setting is selected by default for all orgs.
    Enable CSRF protection on POST requests on non-setup pages
    XSS protection Protects against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected, the browser shows a blank page with no content.
    Content Sniffing protection Prevents the browser from inferring the MIME type from the document content. It also prevents the browser from executing malicious files (JavaScript, Stylesheet) as dynamic content.
    Referrer URL Protection When loading pages, the referrer header shows only Salesforce.com rather than the entire URL. This feature eliminates the potential for a referrer header to reveal sensitive information that could be present in a full URL, such as an org ID. This feature is supported only for Chrome and Firefox.
    HSTS for Sites and Communities Requires HTTPS on communities and Force.com sites.

    This setting must be enabled in two locations. HSTS for Sites and Communities must be enabled in Session Settings, and Require Secure Connections (HTTPS) must be enabled in the community or Force.com site security settings. See Creating and Editing Force.com Sites.

    Note

    Logout URL Redirects users to a specific page after they log out of Salesforce, such as an authentication provider’s page or a custom-branded page. This URL is used only if no logout URL is specified in the identity provider, SAML single sign-on, or external authentication provider settings. If no value is specified for Logout URL, the default is https://login.salesforce.com, unless MyDomain is enabled. If My Domain is enabled, the default is https://customdomain.my.salesforce.com.
  3. Click Save.

Session Security Levels

You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so specified resources are only available to users with a High Assurance level.

The different authentication methods are assigned these security levels, by default.
  • Username and Password — Standard
  • Delegated Authentication — Standard
  • Activation — Standard
  • Lightning Login — Standard
  • Two-Factor Authentication — High Assurance
  • Authentication Provider — Standard
  • SAML — Standard

    The security level for a SAML session can also be specified using the SessionLevel attribute of the SAML assertion sent by the identity provider. The attribute can take one of two values, STANDARD or HIGH_ASSURANCE.

    Note

To change the security level associated with a login method:
  1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  2. Under Session Security Levels, select the login method.
  3. To move the method to the proper category, click the Add or Remove arrow.
Currently, the only features that use session-level security are reports and dashboards in Salesforce and connected apps. You can set policies requiring High Assurance on these types of resources. You can also specify an action to take if the session used to access the resource is not High Assurance. The supported actions are:
  • Block — Blocks access to the resource by showing an insufficient privileges error.
  • Raise session level — Prompts users to complete two-factor authentication. When users authenticate successfully, they can access the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print them.

Raising the session level to high assurance by redirecting the user to complete two-factor authentication is not a supported action in Lightning Experience. If your org has Lightning Experience enabled, and you set a policy that requires a high assurance session to access reports and dashboards, Lightning Experience users with a standard assurance session are blocked from reports and dashboards. Also, they don’t see the icons for these resources in the navigation menu. As a workaround, users with a standard assurance session can log out and log in again using an authentication method that is defined as high assurance by their org. Then they have access to reports and dashboards. Or, they can switch to Salesforce Classic, where they’re prompted to raise the session level when they attempt to access reports and dashboards.

Warning

To set a High Assurance required policy for accessing a connected app:
  1. From Setup, enter Connected Apps in the Quick Find box, then select the option for managing connected apps.
  2. Click Edit next to the connected app.
  3. Select High Assurance session required.
  4. Select one of the actions presented.
  5. Click Save.
To set a High Assurance required policy for accessing reports and dashboards:
  1. From Setup, enter Access Policies in the Quick Find box, then select Access Policies.
  2. Select High Assurance session required.
  3. Select one of the actions presented.
  4. Click Save.

Session levels have no impact on resources in the app other than connected apps, reports, and dashboards for which explicit security policies have been defined.