+ Start a Discussion

Security Architecture of Salesforce

Can someone provide me with Security documentation in Salesforce?


That's a fairly broad question! Can you be more specific? Are you talking about features the application has to help you be secure, or the security of the infrastructure?

I'm looking mostly about user authentication with custom built applications (WIL).

Client applications must log in using valid credentials for a salesforce.com account. The sforce server authenticates these credentials and, if valid, provides the client application. 

Looking for documented secuirity information around this.  If we create custom app accessible via WIL, how can one guarantee secuirty and if there are any security loopholes.  The session ID does expire after 2 hours




I had a friend of mine who is studying Cryptonalysis take a look at the SessionID generation. I'd say his analysis was 'typical' for the industry. The algorithm at a glance (excluding some static pieces) seems to hold up to some basic tests. Alas his biggest flaw was not in the SessionID itself, but how it's used and transported.

While it is true that a specific SessionID does expire after 2 hours (by default) it can be used in conjunction with the UI to generate more SessionIDs seemingly for an unlimited duration. (I'd actually expect that not to be the case, but 24 hours for certain.) Case in point, if your SessionID gets compromised an attacker can use that SessionID, passed to frontdoor.jsp, and will get another, new, SessionID. That ID will be valid for 2 hours, and the UI will refresh it and issue another one half way before it expires. (Give or take a bit)

In short, SessionIDs should never be transmitted in the clear. Unless you need to, use the security settings in the UI to lock SessionIDs to the IP address they were created with. Lastly, if your users are to only use the application from specific locations limit their access to those IP addresses.

This sounds like a security flaw?

What are you referring to?

I think daroz's guidance makes sense - always useful to know what additional measures (such as IP lockdown) are available to your orgs.