Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Manage Session Policies for a Connected App: Session Timeout Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Manage Session Policies for a Connected App: Session Timeout Control

            This control defines the maximum duration that an application session can remain idle before the access token expires and the user or system is required to re-authenticate or use a refresh token.

            Control Name

            Connected Apps: Manage Session Policies for a Connected App: Session Timeout

            Recommended Configuration

            Timeout Value - Select "1hour".

            Control Overview

            This control defines the maximum duration that an application session can remain idle before the access token expires and the user or system is required to re-authenticate or use a refresh token.

            Security Risk If Not Configured

            Long or indefinite timeout values leave active sessions on devices or servers, significantly increasing the window of opportunity for an unauthorized user to hijack an unattended workstation or compromised mobile device.

            Threat Scenarios

            An employee leaves their tablet in a public area or a session is intercepted via a browser-based attack, allowing an adversary to continue accessing sensitive data for hours or days because the session never timed out.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Excessive session lifetimes facilitate prolonged unauthorized data exposure and complicate incident response, as a stolen token remains a "live" key to the environment for an extended period.

            Higher Risk When

            "Force logout on session timeout" is disabled or when the app is used on shared, public, or unmanaged devices where physical security is not guaranteed.

            Low Risk When

            The app is coupled with high-assurance MFA requirements and IP-restricted login policies that prevent a hijacked session from being moved to a different network.

            Business and Integration Considerations

            Setting a 1-hour timeout may impact the user experience by causing more frequent session interruptions, requiring developers to make sure that the application can seamlessly handle background token refreshes without jarring the user.

            Recommended Remediation

            Go to the OAuth Policies of the Connected App, locate the Timeout Value dropdown, and select "1 hour" to enforce stricter session termination.

            Security Health Review Guidance

            Security Health Review identifies a 1-hour session timeout as the baseline for "Least Privilege Persistence," so that access is frequently re-validated to maintain a high-security posture.

            See Also

             
            Loading
            Salesforce Help | Article