Session Settings
Session Settings is the Setup page in Salesforce where admins configure how user sessions behave: how long a session stays active, when it requires re-authentication, what triggers an automatic logout, what cookies and tokens are set, whether IP changes invalidate the session, and whether high-assurance actions require step-up MFA.
Definition
Session Settings is the Setup page in Salesforce where admins configure how user sessions behave: how long a session stays active, when it requires re-authentication, what triggers an automatic logout, what cookies and tokens are set, whether IP changes invalidate the session, and whether high-assurance actions require step-up MFA. The page is found at Setup, Security, Session Settings, and it is the single most consequential security configuration in any Salesforce org.
Session settings interact with three other security surfaces: Login IP Ranges (which restrict which networks can authenticate), Password Policies (which govern credential lifecycle), and Identity Verification (which adds multi-factor steps). Together they form the org's authentication and session security posture. The defaults are intentionally permissive for new orgs to avoid breaking customer experience. Most production orgs need to tighten the defaults: shorter session timeout, MFA requirement, force logout on session timeout, lock sessions to IP. The session settings page is where each of these decisions becomes a checkbox or a dropdown.
How Session Settings define the org security posture
Session timeout: the active-session window
The Timeout Value is the inactivity threshold. Default is 2 hours. After the timeout, the user sees a session-expired dialog and must re-authenticate. The minimum is 15 minutes (for stricter security), the maximum is 24 hours. Most production orgs run 1 to 2 hours. Compliance-heavy industries (financial services, healthcare) typically run 30 minutes. Below 30 minutes the user experience degrades sharply, and users start complaining. The setting is org-wide; per-profile session timeout is available but rarely used. The Disable session timeout warning popup option turns off the "your session will expire in 5 minutes" warning, which most admins leave enabled.
Force logout on session timeout
The Force logout on session timeout setting, when enabled, immediately terminates the session and returns the user to the login page when the timeout hits. Without it, the user can still see the cached UI but cannot perform any action. The forced logout is the more secure setting because cached PII does not stay on screen after the session is invalid. Most security-conscious orgs enable this. The trade-off is the user loses any in-progress work, including unsaved record edits.
Lock sessions to IP
The Lock sessions to the IP address from which they originated setting binds the session token to the originating IP. If the source IP changes mid-session (the user moves from office Wi-Fi to mobile data), the session terminates. This is strong defense against session hijacking: an attacker who stole the session cookie cannot use it from a different IP. The downside is users on mobile carriers (where the IP changes naturally as the device moves between cell towers) get logged out repeatedly. For desktop-heavy workforces, enable. For field-service or sales teams on iPads with cellular, evaluate carefully or scope it through specific profiles.
Require HttpOnly attribute and Use POST requests for cross-domain sessions
Two settings cover session-cookie hardening. Require HttpOnly attribute marks the Salesforce session cookie with HttpOnly, preventing JavaScript on the page from reading it. This blocks XSS-driven session theft and should always be enabled. Use POST requests for cross-domain sessions forces session tokens to travel over POST bodies rather than URL parameters when crossing domains, which prevents the token from being logged in HTTP referers. Both are off by default in older orgs and on by default in newer ones. Audit and turn both on.
Identity Verification and step-up MFA
Session Settings includes the High Assurance Session Required for Reports and Dashboards setting (and a similar setting for Setup access). When enabled, a user opening a report or entering Setup must pass an identity verification challenge (TOTP code, push notification, security key) even if they already passed MFA at login. This is step-up authentication. It limits the damage from a session token leak: even if someone hijacks the session, they cannot reach sensitive views without re-authenticating. Most regulated industries enable step-up for Setup access at a minimum.
Multi-Factor Authentication enforcement
Salesforce requires MFA for direct UI logins since 2022 as a contractual term. Session Settings includes the Require multi-factor authentication for all direct UI logins toggle. The toggle is on by default for new orgs. Existing orgs that have not enabled it are technically in violation of the master subscription agreement. The setting interacts with Identity Verification: MFA at login covers session-start, Identity Verification covers step-up. Together they implement the modern zero-trust model on the Salesforce platform.
Login IP Ranges (profile-level)
Session Settings is the org-level configuration. Login IP Ranges (Setup, Profiles, Login IP Ranges per profile) restrict logins to specified IP ranges per profile. A user whose profile has Login IP Ranges configured cannot log in from outside those ranges, full stop. The platform redirects to a login-failed page with the Status code "Restricted IP". For VPN-mandated environments, this is the lock. For BYOD-friendly environments, it breaks remote work. The profile-level setting and the session lock-to-IP setting do different things and serve different threat models.
Configuring Session Settings for a secure Salesforce org
Configuring Session Settings is a sequence of consequential checkbox decisions. The path is Setup, Security, Session Settings. Every change applies org-wide on save. Plan changes for a maintenance window with broad notification.
- Open Session Settings
Setup, Quick Find Session Settings, click the link under Security. The page has six sections: Session Settings, Identity Verification, Caching, Clickjack Protection, Cross-Site Scripting, Sandbox Logins.
- Set the timeout value
Set Timeout Value to 1 or 2 hours for most orgs, 30 minutes for regulated industries. Below 30 minutes the user experience degrades sharply.
- Enable Force logout on session timeout
Check the box. The forced logout returns the user to the login page when the session expires, preventing cached UI from staying on screen with sensitive data.
- Consider Lock sessions to the IP address
Enable for desktop-heavy workforces. Skip for mobile-heavy or cellular-network-heavy teams (the IP changes naturally). Test with a pilot group before org-wide rollout.
- Turn on Require HttpOnly and Use POST requests for cross-domain sessions
Both should be checked. They are off by default in older orgs and on by default in newer ones. Cookie hardening is non-controversial and should be the first session change made on any production audit.
- Enable MFA for direct UI logins
Check Require multi-factor authentication for all direct UI logins. This is contractually required by Salesforce since 2022. Confirm every user has enrolled an MFA method (TOTP, push, security key) before enabling.
- Enable step-up MFA for high-risk actions
Enable High Assurance Session Required for Reports and Dashboards and for Setup access. The step-up challenge limits damage from session token leaks by re-authenticating at sensitive entry points.
Inactivity threshold for session expiration. 15 minutes minimum, 24 hours maximum. Most production orgs run 1 to 2 hours.
Immediately terminates session and returns user to login page when timeout hits. Prevents cached PII from lingering on screen.
Binds session token to originating IP. Blocks session hijacking from a different IP. Breaks mobile-carrier sessions where IPs change naturally.
Marks session cookie HttpOnly, blocking JavaScript access. Mitigates XSS-driven session theft. Should be on.
Mandates MFA at login. Contractually required by Salesforce since 2022.
Step-up MFA for sensitive actions (Setup access, reports, dashboards). Re-authenticates within an active session.
- Lock sessions to IP breaks mobile carrier sessions, where the IP changes naturally as the device moves. Pilot with a small group before org-wide enable.
- The Setup, Session Settings, MFA toggle does not auto-enroll users in MFA. Every user must enroll an MFA method (TOTP, push, security key) before the toggle takes effect.
- Session timeout below 30 minutes degrades the user experience sharply. Users start complaining and finding workarounds. Stay at 30 minutes or above unless compliance specifically requires lower.
- Force logout on session timeout terminates in-progress work, including unsaved record edits. Communicate the change to users before enabling.
- Step-up MFA for Setup access can lock out admins if their MFA enrollment is broken. Always have a backup admin with verified MFA before enabling step-up policies.
Trust & references
Straight from the source - Salesforce's reference material on Session Settings.
- Session SettingsSalesforce Help
- Multi-Factor AuthenticationSalesforce Help
- High Assurance SessionsSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. Can a Salesforce admin configure Session Settings without writing code?
Q2. In which area of Salesforce would you typically find Session Settings?
Q3. What is the primary benefit of Session Settings for Salesforce administrators?
Discussion
Loading discussion…