Secure Logout Page Control

Control Name

Secure Logout

Recommended Configuration

• Logout URL - Provide the logout URL
• Enable the Store the redirect logout URL in your local browser

Setup>Session Settings>Logout URL|Store the redirect logout URL in your local browser.

Control Overview

This control ensures that when a Salesforce session expires in a browser tab, the user is automatically redirected to a predefined, secure URL—typically the Single Sign-On (SSO) logout endpoint—rather than the default login page. By enforcing this redirection, the organization ensures a global logout across the entire identity ecosystem, preventing unauthorized users from re-accessing the environment through lingering session tokens at the Identity Provider level.

Security Risk If Not Configured

Not enabling the redirection of expired tabs to a custom logout URL increases the risk of unauthorized session persistence, as users are directed to the standard Salesforce login page instead of the Identity Provider’s (IdP) logout endpoint when a session times out. This bypasses the global logout process, potentially leaving the Single Sign-On (SSO) session active at the IdP level and allowing a subsequent user on the same device to re-access the environment without re-authenticating.

Threat Scenarios

In a shared workstation or public terminal environment, a user may leave their Salesforce session to time out, assuming the session is dead. However, because the expired tab fails to trigger a global logout at the Identity Provider (IdP), the underlying SSO session remains active. An opportunistic attacker can then simply click the login button to be instantly re-authenticated as the previous user, gaining full access to sensitive data without ever being prompted for credentials.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Depending on the number of instances in the company.

Higher Risk When

The risk of unauthorized session restoration is significantly amplified by excessively long session timeout durations, which expand the window of opportunity for an attacker to access an unattended workstation before the session expires.

Furthermore, a lack of forced re-authentication at the Identity Provider (IdP) level allows the browser to silently re-establish a Salesforce session using a lingering IdP cookie, bypassing the need for a fresh login or MFA challenge once the user clicks the "Login" button on the expired tab.

Low or No Risk When

To minimize the risk of unauthorized session restoration, organizations should implement Single Logout (SLO), which ensures that logging out of Salesforce (or a session timeout) effectively terminates the session at the Identity Provider (IdP) level as well.

Additionally, enforcing short session timeout durations (e.g., 15–30 minutes) and requiring Multi-Factor Authentication (MFA) for every login session provides critical defense-in-depth, ensuring that even if a session remains technically active, a second factor or fresh authentication is required to re-access sensitive data.

Business and Integration Considerations

N/A

Recommended Remediation

Redirect login to your corporate page.

Security Health Review Guidance

Security Health Review inspect to ensure the org is configured with predefined redirect logout URL in the browser to align with your corporate policy.