Session Settings Control

Control Name

Session Settings

Recommended Configuration

• Enable lock sessions to the IP address from which they originated
• Enable terminate all of a user’s sessions when an admin resets the user passwords
• Enable lock sessions to the domain in which they were first used

Setup>Session Settings>Lock Sessions to the IP Address from which they originated|terminate all of a user’s sessions when an admin resets the user passwords|lock sessions to the domain in which they were first used.

Control Overview

Lock Sessions to Originating IP Address.

This control prevents session hijacking by making sure that a user's session ID remains valid only when accessed from the specific IP address where it was first established. If an attacker attempts to replay the session token from a different network location, Salesforce will automatically deny access and terminate the connection. Terminate Sessions on Password Reset To ensure immediate account security, this setting automatically invalidates all active sessions for a user the moment an administrator performs a manual password reset. This prevents a potentially compromised user from maintaining access through an existing session after their credentials have been updated. Lock Sessions to Initial Domain This setting restricts a session's validity to the specific Salesforce domain (such as Lightning, Visualforce, or Experience Cloud) where the user originally authenticated. It serves as a defense against cross-site scripting (XSS) and session fixation attacks by preventing a session cookie from being reused across different functional domains within the platform.

Security Risk If Not Configured

Failing to enable these session security controls increases the vulnerability to session hijacking and unauthorized data persistence, as attackers can exploit stolen tokens across different networks or untrusted domains. Also, without session termination upon password resets, a compromised account can remain active even after administrative remediation, leading to prolonged unauthorized access to sensitive information.

Threat Scenarios

An attacker who intercepts a session token can bypass network boundaries to access sensitive data from any location or sub-domain undetected. Furthermore, even if the breach is discovered and the user's password is changed, the attacker retains an "all-access pass" because their existing session remains active and unchallenged.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Risk increases for orgs with many remote users, integration users, API users, or access to sensitive business processes.

Higher Risk When

The risk is significantly amplified by a lack of Login IP Ranges and Real-Time Event Monitoring, which leaves the organization unaware of session hijacking from unauthorized geographic locations. Without Multi-Factor Authentication (MFA) to validate login, a stolen session becomes an access path that remains valid and unchallenged even after a security breach is identified and a password is reset.

Low or No Risk When

To reduce the risk when these specific session controls are not implemented, you can deploy a "defense-in-depth" strategy using the following alternative and compensatory controls:

• For IP Locking: Implement Strict Login IP Ranges at the profile level and enable "Enforce login IP ranges on every request" to ensure that users are only accessing the system from trusted corporate networks, regardless of their session ID.
• For Password Reset Termination: Use Salesforce Shield Transaction Security Policies to automatically kill sessions based on suspicious events, or mandate Single Sign-On (SSO) so that disabling a user at the Identity Provider (IdP) level instantly terminates all downstream application access.
• For Domain Locking: Enforce Multi-Factor Authentication (MFA) for every login and sensitive action, and use CORS (Cross-Origin Resource Sharing) allowlisting to strictly control which external domains are permitted to interact with your Salesforce data and APIs.
• General Monitoring: Regularly audit the Session Management page in Setup to manually terminate anomalous active sessions and use Real-Time Event Monitoring to alert admins of any session hijacking or "replay" attempts.

Business and Integration Considerations

Implementing these controls significantly tightens security, but they can introduce friction for mobile users and break certain automated integrations.

Recommended Remediation

Enable Session settings to secure session from origin domain/IP address and terminate session on password resets.

Security Health Review Guidance

Security Health Review identifies the platform configuration related sessions ensuring the origin IP or Domain are enabled and also to terminate all sessions when password is reset to ensure the security of sessions.