AdministrationIntermediate

Session Settings

Q: Can a Salesforce admin configure Session Settings without writing code?

Session Settings is a declarative admin feature, meaning it can be configured through Salesforce's point-and-click interface without writing any code.

Q: In which area of Salesforce would you typically find Session Settings?

Session Settings is an administrative feature found in Salesforce Setup - the central hub where admins configure and manage the org.

Q: What is the primary benefit of Session Settings for Salesforce administrators?

Session Settings is an administration feature that empowers admins to manage the Salesforce environment through declarative, point-and-click configuration.

Session Settings is a Setup page where administrators configure global session behavior for the org, including session timeout duration, whether to lock sessions to the originating IP address, clickjack protection, CSRF protection, and whether to force re-login after a session expires.

Hear it

§ 01

Definition

§ 02

In plain English

👋 Study buddy

“Here's a simple way to think about it: Session Settings draws the line between security and friction at session level. Timeout duration, IP locking, clickjack protection, force re-login - settings that determine the session security posture every active user experiences.”

§ 03

Worked example

scenario · real-world useSession Settings

The security admin at Granite Financial tightens Session Settings by reducing the session timeout from 12 hours to 2 hours, enabling "Lock sessions to the IP address from which they originated," turning on clickjack protection for all pages, and requiring secure connections (HTTPS) for all sessions. These changes immediately strengthen the org's security posture.

§ 04

Why Session Settings draws the line between security and friction at session level

Session Settings is the org-wide page that controls how long users stay logged in, whether their session is locked to the IP address they logged in from, what protections are in place against clickjacking and CSRF, and whether expired sessions force a fresh login or silently re-authenticate. Each setting is a small dial; together they set the security posture every active user experiences.

The reason this page is worth tuning carefully is that the defaults aren't always right for your environment. A two-hour session timeout is appropriate for office workers; way too long for shared kiosks; way too short for field reps in low-connectivity areas. IP locking is a strong control for desk-bound users; nearly unusable for mobile sales reps. Match the policy to the actual user population - and where populations differ significantly, consider whether profile-level overrides are needed.

§ 05

How to set up Session Settings

Session Settings control the global rules around user sessions — how long a session lasts, whether HTTPS is required, whether sessions are locked to the originating IP. These are the levers that move Health Check the most for the Security category.

Open Setup → Session Settings
Setup gear → Quick Find: Session Settings → Session Settings.
Set Session Timeout Value
Default is 4 hours. Stricter orgs use 30 or 60 minutes. Shorter values force users to re-auth more often — balance security vs UX.
Tick Disable session timeout warning popup if appropriate
Default: warning shows 30 seconds before timeout. Disabling skips the warning — usually a bad UX choice.
Tick Lock sessions to the IP address from which they originated
When ticked, a session created on one IP can't be used from another IP. Strong security but breaks for users on mobile data or VPN-rotating IPs.
Tick Require secure connections (HTTPS)
Should be on. Production orgs cannot turn it off — Salesforce locked this open.
Tick Force logout on session timeout
On a timed-out session, force a logout instead of allowing silent re-auth. Stricter.
(Optional) Configure Login IP Ranges
Per-profile or org-wide IP allowlist. Outside the range = blocked login.

Key options

Session Timeout Valueremember

15 min - 24 hours. 4-8 hours is common; 30 min for compliance-heavy orgs.

Lock sessions to login IPremember

Strong but breaks mobile users.

Lock sessions to user's IP at loginremember

Slightly more relaxed than the above — locks per-session, not just at session-start.

Force logout on session timeoutremember

Stricter than the warning-then-extend default.

Force relogin after Login-As-Userremember

When admins use Login As, force them to re-auth as themselves after.

Gotchas

Lock sessions to IP breaks for users on mobile data — their carrier IP rotates regularly. If you have a heavy mobile user base, leave this off.
Session Timeout below 30 minutes is painful for users filling out long forms. Pair stricter timeouts with auto-save in your custom UI.
These settings are org-wide. Profile-level overrides exist for some (Session Timeout per profile), but most are global. Plan carefully.

§ 06

How organizations use Session Settings

Pacific Crest Bank

Tightened session timeout to 30 minutes for admin profiles; balanced security with operational practicality.

Atlas Manufacturing

IP locking disabled for mobile reps; usability concerns outweighed the security benefit for that population.

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

🧠 Test your knowledge

Q1. Can a Salesforce admin configure Session Settings without writing code?

Q2. In which area of Salesforce would you typically find Session Settings?

Q3. What is the primary benefit of Session Settings for Salesforce administrators?

Discussion

Loading…

Loading discussion…

Back to Dictionary