Session ID behaviour is governed by Session Settings in Setup, plus profile-level overrides for specific user populations. The steps below cover the most common configuration tasks and the inspection of active sessions for troubleshooting.
- Open Session Settings in Setup
Go to Setup, Security, Session Settings. The page covers org-wide session policies: inactivity timeout, absolute timeout, force re-login on browser close, IP locking, and high-assurance session policies for sensitive operations.
- Set the inactivity and absolute timeouts
Configure the Timeout Value to the inactivity timeout you want (15 minutes to 24 hours). Configure the Maximum Session Length to the absolute timeout (1 hour to 24 hours). Tighter values reduce the window an attacker has if a token is leaked.
- Tighten profile-level overrides where needed
For profiles that need stricter timeouts (admin profiles, finance team), open the profile, edit Session Settings, and pick a tighter Session Timeout from the picklist. Profile settings override org settings for that profile's users.
- Configure IP ranges on the profile or org
On the profile, set Login IP Ranges for the allowed IP space. On the org, configure Setup, Security, Network Access for IP ranges that bypass the verification challenge. Network Access ranges loosen the policy; profile IP ranges tighten it.
- Inspect active sessions and end them when needed
Open Setup, Security, Session Management to see the list of active sessions across the org. Filter by user or source IP. Use the End Session action on any row to invalidate that Session ID immediately. Reset the user's password to force re-login on every session for that user.
Inactivity timeout in minutes. The session expires after this much idle time. Range: 15 minutes to 24 hours.
Org-wide setting that binds a Session ID to the original IP address. Leaked tokens cannot be used from other IPs.
Forces re-authentication when a user attempts a high-assurance operation like Setup access or password change. Raises the bar for compromised sessions.
- UserInfo.getSessionId() returns null in any asynchronous Apex context: batch, future, queueable, scheduled, platform event triggers. Code that needs a Salesforce HTTP callout from async should use a Named Credential pointing to the org with the right OAuth configuration.
- Session ID is a bearer credential. Leaking it is the equivalent of leaking a password until the session expires. Never log Session IDs to debug output or third-party log aggregators.
- Tightening session timeouts is retroactive on the next session creation, not on currently active sessions. To force every user to a new policy immediately, run End All Sessions on the affected profiles.