Session Settings in Salesforce are critical security configurations that administrators use to control user session behavior and protect organizational data. These settings are found under Setup > Security > Session Settings and provide granular control over how users interact with the platform.
K…Session Settings in Salesforce are critical security configurations that administrators use to control user session behavior and protect organizational data. These settings are found under Setup > Security > Session Settings and provide granular control over how users interact with the platform.
Key session settings include:
**Session Timeout**: Administrators can configure how long a user session remains active before automatic logout. Options range from 15 minutes to 24 hours, helping balance security with user convenience. Shorter timeouts enhance security but may impact productivity.
**Login IP Ranges**: While typically set at the profile level, session settings work in conjunction with IP restrictions to ensure users access Salesforce from approved network locations only.
**Session Security Levels**: Salesforce distinguishes between Standard and High Assurance sessions. High Assurance sessions require stronger authentication methods like two-factor authentication and can be required for accessing sensitive data or connected applications.
**Clickjack Protection**: This setting prevents malicious websites from embedding Salesforce pages in frames, protecting users from potential attacks where they might unknowingly perform actions.
**Cross-Site Request Forgery (CSRF) Protection**: Enabled by default, this prevents unauthorized commands from being transmitted from users that the application trusts.
**Content Security Policy (CSP)**: Helps prevent cross-site scripting attacks by controlling which resources can be loaded.
**Lock Sessions to IP Address**: When enabled, if a users IP address changes during a session, they must log in again, preventing session hijacking.
**Force Logout on Session Timeout**: Determines whether users are logged out when their session expires or can continue with re-authentication.
**SMS Identity Confirmation**: Controls whether SMS can be used for identity verification.
Administrators must carefully balance security requirements with user experience when configuring these settings. Regular review of session settings ensures compliance with organizational security policies and industry regulations.
Session Settings in Salesforce: Complete Guide for Administrators
What are Session Settings?
Session Settings in Salesforce are a collection of security configurations that control how users interact with the platform during their active sessions. These settings determine session duration, authentication requirements, and various security protocols that protect your organization's data.
Session settings are found in Setup by navigating to Setup > Security > Session Settings.
Why are Session Settings Important?
Session Settings are critical for several reasons:
• Security: They protect against unauthorized access and session hijacking • Compliance: Many industries require specific session timeout and security configurations • User Experience: Properly configured settings balance security with usability • Data Protection: They help prevent data breaches from unattended workstations
Key Session Settings Components
1. Session Timeout: This determines how long a user can remain inactive before being logged out. The default is 2 hours, but administrators can set values from 15 minutes to 24 hours. For high-security environments, shorter timeouts are recommended.
2. Force Logout on Session Timeout: When enabled, users are logged out when their session expires rather than receiving a warning.
3. Lock Sessions to the IP Address from Which They Originated: This security feature prevents session hijacking by ensuring a session remains valid only from the original IP address.
4. Lock Sessions to the Domain in Which They Were First Used: Restricts sessions to the specific Salesforce domain where they started.
5. Require HttpOnly Attribute: Prevents client-side scripts from accessing session cookies, protecting against cross-site scripting (XSS) attacks.
6. Require Secure Connections (HTTPS): Mandates that all connections use encrypted HTTPS protocol.
7. Enable Clickjack Protection: Protects against malicious framing of Salesforce pages.
8. Enable CSRF Protection: Cross-Site Request Forgery protection prevents unauthorized commands from being transmitted from authenticated users.
1. A session is created with a unique session ID 2. The session inherits all configured Session Settings 3. The timeout clock begins tracking inactivity 4. Security protocols (IP locking, HTTPS, etc.) are enforced 5. When timeout occurs or the user logs out, the session terminates
Administrators can configure different session policies for different user profiles, allowing more restrictive settings for users with access to sensitive data.
Exam Tips: Answering Questions on Session Settings
• Remember the Default Timeout: The default session timeout is 2 hours. This is frequently tested.
• Know the Timeout Range: Session timeout can be set from 15 minutes to 24 hours.
• Understand IP Locking: When session IP locking is enabled, if a user's IP address changes mid-session, they will be logged out. This can cause issues for mobile users.
• HTTPS Requirement: Remember that requiring secure connections (HTTPS) is a best practice and often mandatory for compliance.
• Profile-Level Settings: Session settings can be configured at the organization level AND overridden at the profile level for more granular control.
• Watch for Scenario Questions: Exam questions often present scenarios where users are being logged out unexpectedly. Consider session timeout values and IP locking as potential causes.
• Security vs. Usability: Questions may ask about balancing security needs with user convenience. Shorter timeouts are more secure but less convenient.
• Clickjack Protection Levels: Know that there are different levels of clickjack protection: Same Origin Only, Allow Framing, and others.
• Location Matters: Remember that Session Settings are found under Setup > Security > Session Settings.
Common Exam Scenarios
1. Users complaining about frequent logouts → Check session timeout settings 2. Security audit requiring stricter controls → Enable IP locking, reduce timeout, require HTTPS 3. Mobile users having session issues → IP locking may be causing problems as mobile IPs change frequently