Session Timeout Settings Control

Control Name

Session Timeout

Recommended Configuration

• Set Session Timeout value to 15 mins or less
• Disable Session timeout warning popup
• Enable Force logout on session timeout

Setup>Session Settings>Session Timeout.

Control Overview

The Salesforce session timeout control is a security measure designed to protect against unauthorized access by automatically terminating user sessions after a specified period of inactivity.

Security Risk If Not Configured

Failure to configure an appropriate session timeout in Salesforce increases the risk of unauthorized access to sensitive data when a user leaves a workstation unattended or a device is lost. This security gap can lead to session hijacking and data exfiltration, while also resulting in non-compliance with industry regulatory standards that require time-bound access controls.

Threat Scenarios

An attacker exploits an unattended, active session or stolen session token to gain persistent unauthorized access to sensitive data.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Consider user behaviour and the environment where the user accesses the platform.

Higher Risk When

If a session timeout is not configured (or is configured poorly), the following lack of controls can further increase the security risk:

• Lack of Multi-Factor Authentication (MFA): Without MFA, a session is only protected by a single set of credentials. If a session remains active indefinitely, an attacker who gains access to the device doesn't have to bypass any additional security layers.
• Lack of "Force Logout on Session Timeout": If this specific setting is disabled, Salesforce can not actually terminate the session when it expires, allowing the browser to keep the session alive as long as it remains open.
• Lack of IP Address Restrictions: If sessions are not locked to the originating IP address or restricted to corporate ranges, a "persistent" session token can be stolen and used from any location globally without being challenged.
• Lack of Workstation or Device Auto-Lock: If there is no organizational policy or technical control (like GPO or MDM) to lock a user’s computer or mobile device after a period of inactivity, the open Salesforce session is left completely exposed to anyone with physical access.
• Lack of Profile-Level Overrides: Relying only on broad "Organization-Wide" settings rather than stricter, shorter timeouts for high-privilege profiles (like System Admins) increases the "blast radius" if an admin's session is hijacked.
• Lack of Real-Time Session Monitoring: Without tools like Salesforce Event Monitoring or Transaction Security Policies, the organization cannot detect or automatically kill suspicious sessions that have been active for an abnormally long time.
• Lack of "Lock Sessions to the Domain": Failing to restrict sessions to the specific domain where they started can increase the risk of cross-site scripting (XSS) or session fixation attacks.

Low or No Risk When

To lower the risk when a strict session timeout is not feasible or configured, you can implement a "defense-in-depth" strategy using the following controls: 1. Salesforce Native Security Controls

• Enforce Multi-Factor Authentication (MFA): Require a second factor for all logins. Even if a session remains active, an attacker would first need to bypass MFA to establish that session.
• Force Logout on Session Timeout: Ensure that this setting is enabled in Session Settings. Without it, some browsers can keep a "timed out" session active indefinitely in the background.
• Lock Sessions to the IP Address: This prevents "session hijacking" by ensuring the session can only be used from the specific IP address where it originated.
• Login IP Ranges (Profile Level): Restrict access to specific, trusted networks (for example, your corporate VPN). This makes sure that even an active session is useless if the device is moved to an untrusted network.
• Login Hours: Define specific windows (for example, 8:00 AM – 6:00 PM) where users can access Salesforce. This automatically prevents session persistence during off-hours.

2. Advanced Monitoring & Automation (Shield)

• Transaction Security Policies (Salesforce Shield): Create real-time policies that trigger on suspicious behavior. For example, you can automatically block or challenge a session with MFA if a user attempts a large data export or accesses sensitive records after a long period of "idleness."
• Event Monitoring: Use the Real-Time Event Monitoring to track LoginEvent and SessionHijackingEvent to identify and programmatically terminate anomalous sessions.

3. Identity & Endpoint Controls

• Single Sign-On (SSO): Delegate session management to a central Identity Provider (IdP) like Okta or Azure AD. You can then enforce stricter global session policies or "kill" all active app sessions from a single dashboard if a device is compromised.
• Endpoint Management (MDM/GPO): Implement a corporate policy that automatically locks the physical workstation or mobile device after 5–10 minutes of inactivity. This mitigates the risk of an "unattended workstation" which is the primary threat of long sessions.

Business and Integration Considerations

Customers should evaluate entry points of their users endpoints and what data each user profile is exposed to.

Recommended Remediation

Implement Session Timeout at the endpoint level and also at the platform level.

Security Health Review Guidance

Security Health Review identifies the platform configuration related to session timeout by inspecting the session timeout against industry best practice (15 minutes).