Session Management
Session Management is a Setup page where administrators view and manage all active user sessions in the org.
Definition
Session Management is a Setup page where administrators view and manage all active user sessions in the org. It provides details on each session including the user, login time, IP address, session type, and the ability to revoke individual sessions for security purposes.
In plain English
“Here's a simple way to think about it: Session Management lists every active login in the org - every browser, every API client, every mobile app session. Lets you revoke individual sessions on the spot. The breakglass surface for incident response.”
Worked example
After a reported security incident, the admin at FinServe Bank opens Session Management and sees that the compromised user has three active sessions from different IP addresses. She revokes all three sessions immediately, forcing the user to re-authenticate. She also identifies that one session originated from a suspicious foreign IP address and reports it to the security team.
Why Session Management is where you can see and end any active login in the org
Session Management lists every active session across the entire org - every browser window, every API client holding an OAuth token, every mobile app session - with the user, the source IP, the login type, and the time it started. The page also lets you revoke individual sessions on the spot. For incident response, this is where the action of logging everyone out who's connected from a suspicious IP actually happens.
The reason it's worth knowing about beyond emergencies is that scheduled session reviews catch the unusual patterns. A user with twenty active sessions across five regions probably has compromised credentials; an integration session that's been holding a token for ninety days when policy is thirty signals a missed rotation. Use it as part of the security team's regular cadence, not just as a breakglass tool.
How to set up Session Management
Session Management is the page showing currently active user sessions and recent session activity — useful for forensic investigation ("who's logged in right now") and for forcibly ending sessions when investigating compromise. Read-mostly; kill sessions sparingly.
- Open Setup → Session Management
Setup gear → Quick Find: Session Management → Session Management.
- Review the list of active sessions
Each row: Username, Source IP, Login Type, Session Type, Created Date, Last Activity.
- Identify suspicious sessions
Unfamiliar IP / unfamiliar User Agent / very long-running sessions.
- Click Remove next to a session to force logout
Ends the session immediately. The user has to re-authenticate.
- Configure session policies separately
Session timeout, MFA requirements, IP restrictions live on Setup → Session Settings — not here.
Currently-logged-in users and their session details.
End a specific session. The user re-authenticates on next request.
Useful for narrowing during investigations.
- Removing a session forces immediate re-auth — including for the admin running the action if you accidentally pick your own session. Filter carefully.
- Session Management shows currently-active sessions only. Past sessions are in Login History (Setup → Login History).
- API sessions appear here too — including service-account sessions. Killing one forces the integration to re-auth, which may break in-flight calls.
How organizations use Session Management
Used during incident response to revoke sessions from a suspicious IP within minutes; impact contained.
Audit reviews include session history; access patterns are part of compliance evidence.
🧠 Test your knowledge
Q1. In which area of Salesforce would you typically find Session Management?
Q2. Why is understanding Session Management important for Salesforce admins?
Q3. What is the primary benefit of Session Management for Salesforce administrators?
Discussion
Loading discussion…