Configuring Session Settings is a sequence of consequential checkbox decisions. The path is Setup, Security, Session Settings. Every change applies org-wide on save. Plan changes for a maintenance window with broad notification.
- Open Session Settings
Setup, Quick Find Session Settings, click the link under Security. The page has six sections: Session Settings, Identity Verification, Caching, Clickjack Protection, Cross-Site Scripting, Sandbox Logins.
- Set the timeout value
Set Timeout Value to 1 or 2 hours for most orgs, 30 minutes for regulated industries. Below 30 minutes the user experience degrades sharply.
- Enable Force logout on session timeout
Check the box. The forced logout returns the user to the login page when the session expires, preventing cached UI from staying on screen with sensitive data.
- Consider Lock sessions to the IP address
Enable for desktop-heavy workforces. Skip for mobile-heavy or cellular-network-heavy teams (the IP changes naturally). Test with a pilot group before org-wide rollout.
- Turn on Require HttpOnly and Use POST requests for cross-domain sessions
Both should be checked. They are off by default in older orgs and on by default in newer ones. Cookie hardening is non-controversial and should be the first session change made on any production audit.
- Enable MFA for direct UI logins
Check Require multi-factor authentication for all direct UI logins. This is contractually required by Salesforce since 2022. Confirm every user has enrolled an MFA method (TOTP, push, security key) before enabling.
- Enable step-up MFA for high-risk actions
Enable High Assurance Session Required for Reports and Dashboards and for Setup access. The step-up challenge limits damage from session token leaks by re-authenticating at sensitive entry points.
Inactivity threshold for session expiration. 15 minutes minimum, 24 hours maximum. Most production orgs run 1 to 2 hours.
Immediately terminates session and returns user to login page when timeout hits. Prevents cached PII from lingering on screen.
Binds session token to originating IP. Blocks session hijacking from a different IP. Breaks mobile-carrier sessions where IPs change naturally.
Marks session cookie HttpOnly, blocking JavaScript access. Mitigates XSS-driven session theft. Should be on.
Mandates MFA at login. Contractually required by Salesforce since 2022.
Step-up MFA for sensitive actions (Setup access, reports, dashboards). Re-authenticates within an active session.
- Lock sessions to IP breaks mobile carrier sessions, where the IP changes naturally as the device moves. Pilot with a small group before org-wide enable.
- The Setup, Session Settings, MFA toggle does not auto-enroll users in MFA. Every user must enroll an MFA method (TOTP, push, security key) before the toggle takes effect.
- Session timeout below 30 minutes degrades the user experience sharply. Users start complaining and finding workarounds. Stay at 30 minutes or above unless compliance specifically requires lower.
- Force logout on session timeout terminates in-progress work, including unsaved record edits. Communicate the change to users before enabling.
- Step-up MFA for Setup access can lock out admins if their MFA enrollment is broken. Always have a backup admin with verified MFA before enabling step-up policies.