You are here:
Session Security
After logging in, a user establishes a session with the platform. Use session security to limit exposure to your network when a user leaves the computer unattended while still logged in. Session security also limits the risk of internal attacks, such as when one employee tries to use another employee’s session. Choose from several session settings to control session behavior.
You can control when an inactive user session expires. The default session timeout is two hours of inactivity. When the session timeout is reached, users are prompted with a dialog that allows them to log out or continue working. If they don’t respond to this prompt, they’re logged out.
User sessions can expire when a new Salesforce major release takes effect. To avoid disruptions, start a new session after a major release. To see major release dates for your instance, go to Trust Status, search for your instance, and click the maintenance tab.
You can restrict access to certain types of resources based on the security level associated with the authentication method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so that specified resources are available only to users assigned a High Assurance level. For details, see Session-level Security in Modify Session Security Settings.
You can control whether your org stores user logins and whether they can appear from the Switcher with the settings Enable caching and autocomplete on login page, Enable user switching, and Remember me until logout.
- Modify Session Security Settings
Use the Session Settings screen to configure session security. You can configure settings such as the session connection type, timeout restrictions, and IP address ranges to protect against malicious attacks. - Enable Browser Security Settings
Browser security settings protect sensitive information and monitor SSL certificates. - Set Trusted IP Ranges for Your Org
To help protect your Salesforce data from unauthorized access, specify a list of IP addresses from which users can log in without receiving an identity verification challenge. - Control Access to Browser Features
To control whether requests to an external (non-Salesforce) server or URL can access the user’s camera and microphone, enable the Permissions-Policy HTTP header. Then select when to allow access to each of these browser features. - Require High-Assurance Session Security for Sensitive Operations
To secure different setup areas in your org, require a high-assurance level of security for sensitive operations, such as accessing reports and managing IP addresses. You can also block users from accessing these setup areas. - View User Session Information on the Session Management Page
Monitor and protect Salesforce by reviewing active sessions and session details on the Session Management page in Setup. You can create custom list views, view details about a user associated with a specific session, and easily end suspicious sessions. Salesforce admins can view all active user sessions, and non-admins see only their sessions. - User Session Types
Learn about the session types in the User Session Information page to help you monitor and protect your org. - Salesforce Platform Cookies
The Salesforce Platform uses cookies to improve functionality and accelerate processing times. By saving a user’s settings, cookies can enhance the user’s experience and the Salesforce Platform’s performance. - Using Frontdoor.jsp to Bridge an Existing Session Into Salesforce
You can use frontdoor.jsp to give users access to Salesforce from a custom web interface, such as a Salesforce site, using their existing session ID and the server URL.
