Session Settings in Salesforce

Set the session security and session expiration timeout for your organization.

1. Go to Setup --> Administration Setup --> Security Controls --> Session Settings.

2. Fill in the details.

3. Click "Save" button.


Field
Description
Timeout value
Length of time after which the system logs out inactive users. Select a value between 15 minutes and 12 hours. Choose a shorter timeout period if your organization has sensitive information and you want to enforce stricter security.Note
The last active session time value isn’t updated until halfway through the timeout period. That is, if you have a 30 minute timeout, the system won’t check for activity until 15 minutes have passed. For example, assume you have a 30 minute timeout value. If you update a record after 10 minutes, the last active session time value won’t be updated because there was no activity after 15 minutes. You’ll be logged out in 20 more minutes (30 minutes total) because the last active session time wasn’t updated. Suppose you update a record after 20 minutes. That’s five minutes after the last active session time is checked, so your timeout resets and you have another 30 minutes before being logged out, for a total of 50 minutes.
Disable session timeout warning popup
Determines whether the system prompts inactive users with a timeout warning message. Users are prompted 30 seconds before timeout as specified by the Timeout value.
Lock sessions to the IP address from which they originated
Determines whether user sessions are locked to the IP address from which the user logged in; helping to prevent unauthorized persons from hijacking a valid session.Note
This may inhibit various applications and mobile devices.
Require secure connections (HTTPS)
Determines whether HTTPS is required to log in to or access Salesforce, apart from Force.com sites, which can still be accessed using HTTP.
This option is enabled by default for security reasons. It should not be disabled. Once this preference is set to require HTTPS, you can’t manually change it. To change to HTTP, contact your salesforce.com representative.
The Resetting Passwords page can only be accessed using HTTPS.
Force relogin after Login-As-User
Determines whether an administrator that is logged in as another user is returned to their previous session after logging out as the secondary user.
If the option is enabled, an administrator must log in again to continue using Salesforce after logging out as the user; otherwise, the administrator is returned to their original session after logging out as the user.
Require HttpOnly attribute
Restricts session ID cookie access. A cookie with the HttpOnly attribute is not accessible via non-HTTP methods, such as calls from JavaScript.Note
If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application because it denies the application access to the cookie. The Developer Console and AJAX Toolkit debugging window are also not available if the Require HttpOnly attribute is selected.
Enable caching and password autocomplete on login page
Allows the user’s browser to store usernames. If enabled, after an initial log in, usernames are auto-filled into the User Name field on the login page. This preference is selected by default and caching and autocomplete are enabled.
Enable SMS-based identity confirmation
Enables users to receive a one-time PIN delivered via SMS. Once enabled, administrators or users must verify their mobile phone number before taking advantage of this feature.
Login IP Ranges
Specifies a range of IP addresses users must log in from (inclusive), or the login will fail. Users need to activate their computers to successfully log in from IP addresses outside this range.
To specify a range, click New and enter a lower and upper IP address to define the range.
This field is not available in Enterprise, Unlimited, and Developer Editions. In those editions, you can specify valid IP addresses per profile.
Enable clickjack protection for non-setup Salesforce pages
Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking is also known as a user interface redress attack. Setup pages already include protection against clickjack attacks. (Setup pages are those pages accessed from the left side of the screen after clicking Your Name | Setup on the upper-right part of the user interface.)
Enable clickjack protection for non-setup customer Visualforce pages
Protects against clickjack attacks on your Visualforce pages. Clickjacking is also known as a user interface redress attack. Warning
If you use custom Visualforce pages within a frame or iframe, you may see a blank page or the page may display without the frame. For example, Visualforce pages in a page layout do not function when clickjack protection is on.

No comments:

Post a Comment