Session Settings in Salesforce

Set the session security and session expiration timeout for your organization.

1. Go to Setup –> Administration Setup –> Security Controls –> Session Settings.
2. Fill in the details.
3. Click “Save” button.
Timeout value
Length of time after
which the system logs out inactive users. Select a value between 15 minutes
and 12 hours. Choose a shorter timeout period if your organization has
sensitive information and you want to enforce stricter security.Note
The last active
session time value isn’t updated until halfway through the timeout period.
That is, if you have a 30 minute timeout, the system won’t check for activity
until 15 minutes have passed. For example, assume you have a 30 minute timeout
value. If you update a record after 10 minutes, the last active session time
value won’t be updated because there was no activity after 15 minutes. You’ll
be logged out in 20 more minutes (30 minutes total) because the last active
session time wasn’t updated. Suppose you update a record after 20 minutes.
That’s five minutes after the last active session time is checked, so your
timeout resets and you have another 30 minutes before being logged out, for a
total of 50 minutes.
Disable session
timeout warning popup
Determines whether
the system prompts inactive users with a timeout warning message. Users are
prompted 30 seconds before timeout as specified by the Timeout value.
Lock sessions to the IP address from which they originated
Determines whether
user sessions are locked to the IP address from which the user logged in;
helping to prevent unauthorized persons from hijacking a valid session.Note
This may inhibit
various applications and mobile devices.
Require secure connections (HTTPS)
Determines whether
HTTPS is required to log in to or access Salesforce, apart from
sites, which can still be accessed using HTTP.
This option is
enabled by default for security reasons. It should not be disabled. Once this
preference is set to require HTTPS, you can’t manually change it. To change
to HTTP, contact your representative.
The Resetting
Passwords page can only be accessed using HTTPS.
Force relogin after
Determines whether
an administrator that is logged in as another user is returned to their
previous session after logging out as the secondary user.
If the option is enabled, an administrator
must log in again to continue using Salesforce after logging out as the user;
otherwise, the administrator is returned to their original session after
logging out as the user.
Require HttpOnly
Restricts session ID
cookie access. A cookie with the HttpOnly attribute is not accessible via
non-HTTP methods, such as calls from JavaScript.Note
If you have a custom or packaged application that uses
JavaScript to access session ID cookies, selecting Require HttpOnly attribute
breaks your application because it denies the application access to the
cookie. The Developer Console and AJAX Toolkit debugging window are also not
available if the Require HttpOnly attribute is selected.
Enable caching and
password autocomplete on login page
Allows the user’s
browser to store usernames. If enabled, after an initial log in, usernames
are auto-filled into the User Name field on the login page. This preference
is selected by default and caching and autocomplete are enabled.
Enable SMS-based
identity confirmation
Enables users to
receive a one-time PIN delivered via SMS. Once enabled, administrators or
users must verify their mobile phone number before taking advantage of this
Login IP Ranges
Specifies a range of
IP addresses users must log in from (inclusive), or the login will fail.
Users need to activate their computers to successfully log in from IP
addresses outside this range.
To specify a range,
click New and enter a lower and upper IP address to define the range.
This field is not
available in Enterprise, Unlimited, and Developer Editions. In those
editions, you can specify valid IP addresses per profile.
Enable clickjack
protection for non-setup Salesforce pages
Protects against
clickjack attacks on non-setup Salesforce pages. Clickjacking is also known
as a user interface redress attack. Setup pages already include protection
against clickjack attacks. (Setup pages are those pages accessed from the
left side of the screen after clicking Your Name | Setup
on the upper-right part of the user interface.)
Enable clickjack
protection for non-setup customer Visualforce pages
Protects against
clickjack attacks on your Visualforce pages. Clickjacking is also known as a
user interface redress attack. Warning
If you use custom Visualforce
pages within a frame or iframe, you may see a blank page or the page may
display without the frame. For example, Visualforce pages in a page layout do
not function when clickjack protection is on.

Leave a Reply