Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Modify Session Security Settings

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Modify Session Security Settings

            Use the Session Settings screen to configure session security. You can configure settings such as the session connection type, timeout restrictions, and IP address ranges to protect against malicious attacks.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic

            The Lock sessions to the IP address from which they originated setting is available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            All other settings available in: Essentials, Personal, Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
            User Permissions Needed
            To modify session security settings: Customize Application

            Configure these settings on the Session Settings page.

            Note
            Note Identity verification settings are also available on the Identity Verification page. You can change identity verification settings in either location. For information about configuring these settings, see Define Identity Verification Settings for Your Orgs and Experience Cloud Sites.

            See Also

            Configure Session Timeout Settings

            These settings don't apply to sessions that are established with JWT-based access tokens. For these tokens, configure timeout in the external client app or connected app policies. See Issue JSON Web Token (JWT)-Based Access Tokens.

            1. From Setup, in the Quick Find box, enter Session Settings, and then select Session Settings.
            2. For Timeout Value, select the length of time after which the system logs out inactive users. For portal users, even though the actual timeout is between 10 minutes and 24 hours, you can only select a value between 15 minutes and 24 hours. If you want to enforce stricter security for sensitive information, choose a shorter timeout period.
              Note
              Note Salesforce updates the last active session time value every 5 minutes. So if you have a 30-minute timeout and you update a record at the 3-minute mark, Salesforce checks for activity and refreshes your session at the 5-minute mark. If you don’t make any other updates, the total length of the session is 35 minutes.
            3. To disable the timeout warning message for inactive users, select Disable session timeout warning popup. When this setting isn’t selected, a timeout warning message prompts inactive users 30 seconds before timeout, or as specified by the timeout value.
              Note
              Note If you're logged in as another user, the session timeout warning popup is always disabled. Even if you deselect the Disable session timeout warning popup setting, the popup is still disabled.
            4. To automatically redirect users to the login page when a session times out, select Force logout on session timeout. The browser refreshes and returns to the login page, and the user must log in again for access.
              With this setting deselected, when a session times out, the browser stays on the same page. It doesn't redirect to the login page until the user does something that requires them to be logged in. For example, if the session times out while a user is on the Accounts page, the browser stays on this page. If the user then clicks a button to update an account, the browser redirects to the login page.
              Note
              Note When this setting is enabled, don’t select Disable session timeout warning popup.

            Configure Session Settings

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. To lock the IP address from which the user logged in, select Lock sessions to the IP address from which they originated. Locking the IP address helps to prevent unauthorized persons from hijacking a valid session.
              Note
              Note This setting can inhibit various applications and mobile devices.
            3. Optionally, enable Terminate all of a user’s sessions when an admin resets that user’s password. This setting helps you mitigate security incidents such as stolen passwords and credential stuffing attacks. If you suspect that a user’s password is compromised, you can reset that user’s password and terminate all of their UI sessions at the same time. This setting also applies when you reset passwords for multiple users at once.
            4. To associate a current UI session for a user with a specific domain, select Lock sessions to the domain in which they were first used. For example, associate an Experience Cloud site user with the site domain. This setting helps prevent unauthorized use of the session ID in another domain. This setting is enabled by default for Salesforce orgs created with the Spring ’15 release or later.
            5. Optionally, enable Allow employees to log in directly to an Experience Cloud site (recommended). With this setting, your internal users can use their internal username and password on the site login page. Employees must be members of the site to log in directly from the site login page. After they log in, your internal users land on the site home page.
            6. Optionally, enable When embedding a Lightning application in a third-party site, use a session token instead of a session cookie. This setting replaces the authentication cookie with a session token when a Lightning app is in a third-party context, such as Lightning Out. Browsers are restricting the use of third-party cookies. As a result, a Lightning app that uses third-party cookies must use a different approach to maintain the session identifier between the browser and the server. This setting is an alternative to requiring that users disable browser settings, such as Safari’s Prevent cross-site tracking setting.

            Configure Secure Connections (HTTPS) Settings

            By default, Salesforce requires HTTPS connections and automatically upgrades HTTP requests to HTTPS via the HSTS header. HTTPS is also required for connections to third-party domains.

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. The Force relogin after Login-As-User setting is enabled by default. When this setting is enabled, an admin who is logged in as another user to log in again after logging out as the other user. For easier user activity tracking and logging, we recommend you keep this setting enabled.
            3. To restrict session ID cookie access, select Require HttpOnly attribute. A cookie with the HttpOnly attribute isn’t accessible through non-HTTP methods, such as calls from JavaScript.
              Note
              Note If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting the Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.
            4. To send session information using a POST request rather than a GET request for cross-domain exchanges, select Use POST requests for cross-domain sessions. For example, when you use a Visualforce page, POST requests are more secure because they keep the session information in the body of the request. But if you enable this setting, sometimes embedded content from another domain, such as an image, doesn’t display.
            5. To restrict the IP addresses that users can gain access from to only the IP addresses defined in Login IP Ranges, select Enforce login IP ranges on every request.

              If you enable this setting, login IP ranges are enforced on each page request, including requests from client applications. If you don’t enable this setting, login IP ranges are enforced only when a user logs in. This setting affects all user profiles with login IP restrictions.

            6. For Login IP Ranges (for Contact, Manager, Group, and Professional editions only), if you selected Enforce login IP ranges on every request, specify a range of IP addresses that users must log in from (inclusive). To specify a range, click New, and enter a Start IP Address and End IP Address to define the range, which includes the start and end values.
              Note
              Note This field isn’t available in Enterprise, Unlimited, Performance, and Developer Editions. In those editions, you can specify a valid Login IP Range in the user profile settings.

            Configure Caching Settings

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. To allow a user’s browser to store usernames, select Enable caching and autocomplete on login page. If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher. This setting is enabled by default.
            3. To enable secure data caching in the browser, select Enable secure and persistent browser caching to improve performance. When selected, this setting improves page reload performance by avoiding extra round trips to the server. This setting is enabled by default.
              Warning
              Warning Disabling secure and persistent browser caching has a significant negative performance impact on Lightning Experience. Only disable in these scenarios.
              • Your company’s policy doesn’t allow browser caching, even if the data is encrypted.
              • During development in a sandbox or Developer Edition, you want to see the effect of any code changes without emptying the secure cache.
            4. To display the Switcher when your users select their profile pictures, select Enable user switching. This setting also prevents your users from seeing the Switcher when they select their profile picture. This setting is enabled by default. To prevent your org from displaying in Switchers on other orgs, deselect this setting.
              Note
              Note To enable the Enable user switching setting, you must also enable the Enable caching and autocomplete on login page setting.
            5. To delete cached usernames only when the user explicitly logs out, select Remember me until logout. If the session times out, usernames display on the Switcher as inactive. So if users are on their own computer and allow a session to time out, they can select the username to reauthenticate. But if they’re on a shared computer, the username is deleted immediately when the user logs out. This setting applies to all your users.

              If you don’t enable this setting (default), usernames are cached only while a session is active or a user selects Remember Me. This option isn’t available for single sign-on sessions. When the session expires, the username disappears from the login page and the Switcher. Keep this setting disabled if authentication providers aren’t exposed on your login page.

            6. To load Lightning Experience and other apps faster by enabling a content delivery network (CDN) to serve the static content for the Lightning Component framework, select Enable Content Delivery Network (CDN) for Lightning Component framework. A CDN generally speeds up page load time, but it also changes the source domain that serves the files. If your company has IP range restrictions for content served from Salesforce, test thoroughly before enabling this setting. CDNs improve the load time of static content by storing cached versions in multiple geographic locations. This setting turns on CDN delivery for the static JavaScript and CSS in the Lightning Component framework. It doesn’t distribute your Salesforce data or metadata in a CDN.

            Cross-Site Request Forgery Protection

            Salesforce is automatically protected against Cross-Site Request Forgery (CSRF) attacks. Your non-setup pages include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters. The application doesn’t execute the command unless the value found matches the expected value.

            Configure Content Security Policy Protection

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. To override a specific security restriction on accessing email templates in Salesforce Classic from Internet Explorer, select Override Restriction on Accessing Email Templates in Salesforce Classic Using Internet Explorer.
              Warning
              Warning We strongly recommend against enabling this setting. Internet Explorer doesn’t meet Salesforce’s required level of browser security protection. Enabling this setting makes your users vulnerable to malicious third-party attempts to access your data.
            3. To prohibit the use of the unsafe-inline source for the script-src directive, select Enable Stricter Content Security Policy.

              The Lightning Component framework uses Content Security Policy (CSP), the W3C standard to control the source of content that can be loaded on a page. This setting mitigates the risk of cross-site scripting attacks and is enabled by default.

              Important
              Important We strongly recommend that you keep this setting enabled. Lightning Locker and Lightning Web Security rely on this setting to provide strong security for Lightning components.

            Configure Lightning Locker API Version Setting

            You can temporarily set your org to use the Lightning Locker security features of a previous Salesforce release. This setting lets you quickly return your Lightning components to full functionality if a change in Lightning Locker in a new release causes your components to work incorrectly.

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. For Use security enhancements in API version, select the most recent API version where the components worked correctly. When component developers have updated the components to work with the current Lightning Locker security features, return this setting to the current API version to ensure greatest protection.

            For more information, see Select the Locker API Version for an Org in the Lightning Web Components Developer Guide.

            Configure Lightning Web Security

            The Lightning Component framework offers two security architectures, Lightning Locker and Lightning Web Security.

            Lightning Web Security is designed to make it easier for your Lightning components to use secure coding practices and is intended to replace Lightning Locker. Lightning Web Security is being rolled out over several releases. Lightning Web Security is generally available for Lightning web components (LWC) and Aura components.

            To use Lightning Web Security instead of Lightning Locker:

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. Select Use Lightning Web Security for Lightning web components and Aura components.

            For more information, see Which Components Are Supported by Lightning Web Security in the Lightning Web Components Developer Guide.

            Configure Extra Protection for Your Sessions

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. To protect sensitive information in your URLs, such as an org ID or account number, select an HTTP Referrer Policy. See Protect Sensitive Information in Your URLs.
            3. To protect your users from malicious URLs and phishing, specify external domains that you trust, and then choose an External Redirection setting. You can block these redirections or alert the user that the link is taking them outside the Salesforce domain. For details, see Manage Redirections to External URLs in Salesforce Help. In Lightning Experience, the warning message applies only to web tabs.
            Note
            Note Enable Content Sniffing protection is enabled and can’t be disabled. This setting helps prevent the execution of malicious files (JavaScript, Style sheet) as dynamic content by preventing the browser from inferring the MIME type from the document content. To temporarily disable this feature for issue remediation, contact Salesforce Customer Support.

            Configure Session Security Levels

            You can restrict access to certain types of resources based on the security level associated with the authentication method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so that specified resources are available only to users assigned a High Assurance level.

            For sensitive operations, always require a High Assurance level of security or block users. If users already have a High Assurance session after logging in, they aren’t prompted to reverify their identity in the same session. This requirement applies even if you require High Assurance for these operations.

            To change the security level associated with a login method, take these steps.

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. From Session Security Levels, select the login method from this table.
            3. To move the method to the proper category, click Add or Remove.

            Session Security Levels Login Methods:

            TypeDefault Session Security LevelDescription
            Username and Password Standard Users log in by providing a username and password on a login page.
            Delegated Authentication Standard Users log in by providing a username and a password that is validated using a callout to a delegated authentication endpoint.
            Activation Standard Users verify their identity when accessing Salesforce from a new browser or device.
            Lightning Login Standard Internal users log in by using Salesforce Authenticator instead of a password.
            Passwordless Login Standard Experience Cloud users log in by providing a verification code instead of a password.
            Multi-factor authentication High Assurance

            Users complete a multi-factor authentication (MFA) challenge to access a resource. For example, a user must complete MFA when accessing a report that requires a High Assurance level with the Raise session level policy.

            Be careful about changing the security level of MFA to Standard. If MFA has a Standard security level, but the user profile setting, Session security level required at login, requires a High Assurance session security level, the user can’t log in. User access is blocked when the High Assurance requirement isn’t met.
            Authentication Provider Standard Users log in to Salesforce using their login credentials from a third-party service provider.
            SAML Standard

            Users are authenticated using the SAML protocol for single sign-on.

            The security level for a SAML session can also be specified using the SessionLevel attribute of the SAML assertion sent by the identity provider. The attribute can take one of two values: STANDARD or HIGH_ASSURANCE.

            Configure High Assurance Sessions for Reports, Dashboards, and Connected Apps

            You can also set policies requiring High Assurance on reports, dashboards, and connected apps. And you can specify an action to take when the session that’s used to access the resource isn’t High Assurance. These actions are supported.

            • Block—Prevents access to the resource by showing an insufficient privileges error.
            • Raise session level—Prompts users to complete MFA. When users authenticate successfully, they can access the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print them.
            Warning
            Warning Raising the session level to High Assurance by redirecting the user to complete MFA isn’t a supported action in Lightning Experience. If you enable Lightning Experience and set the High Assurance session policy requirement, Lightning Experience users with a standard session are blocked from reports and dashboards. Also, they don’t see the icons for these resources in the navigation menu. As a workaround, users with a Standard Assurance session can log out and log in again using an authentication method that is defined as High Assurance for their org. Then they can access reports and dashboards. Or they can switch to Salesforce Classic, where they’re prompted to raise the session level when they attempt to access reports and dashboards.

            Session levels have no impact on resources in the app other than connected apps, reports, and dashboards that have defined security policies.

            For information about requiring High Assurance when accessing a connected app, see Manage Session Policies for a Connected App.

            To require a High Assurance policy when accessing reports and dashboards, take these steps.

            1. From Setup, in the Quick Find box, enter Access Policies, then select Access Policies.
            2. Select High Assurance session required.
            3. Select an option to block access to reports and dashboards or to raise the session level to high assurance.
            4. Save your changes.

            Configure Logout Page Settings

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. For Logout URL, enter the URL for the page to redirect users to after they log out of Salesforce. For example, enter the URL for an authentication provider’s page or a customer-branded page.

              This redirect logout URL is used only if no logout URL is specified in the identity provider, SAML single sign-on, or third-party authentication provider settings. If you don’t provide a logout URL, the default is https://MyDomainName.my.salesforce.com.

            3. To redirect all expired tabs in your browser to your custom logout URL, select Store the redirect logout URL in your local browser. Before enabling this setting, review these considerations.

              This setting uses the browser’s local storage to store the custom logout URL. Verify that this setting doesn’t interfere with your custom login integrations.

            Configure Session Settings for New User Email

            1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
            2. For Link expires in, select the amount of time that the account verification link in welcome emails to new users is valid. You can select 1, 7, or 180 days. By default, account verification links expire after 7 days.

              When you update this setting, the change applies to links in welcome emails that were already sent. For example, you sent a welcome email 2 days ago with the link set to expire in 7 days. If you update the setting so that links expire in 1 day, the link in the email you sent 2 days ago is no longer valid.

             
            Loading
            Salesforce Help | Article