Definition
Session Settings is a Setup page where administrators configure global session behavior for the org, including session timeout duration, whether to lock sessions to the originating IP address, clickjack protection, CSRF protection, and whether to force re-login after a session expires.
Real-World Example
The security admin at Granite Financial tightens Session Settings by reducing the session timeout from 12 hours to 2 hours, enabling "Lock sessions to the IP address from which they originated," turning on clickjack protection for all pages, and requiring secure connections (HTTPS) for all sessions. These changes immediately strengthen the org's security posture.
Why Session Settings Matters
Session Settings is a centralized Setup page where Salesforce administrators configure the global security policies that govern all user sessions. Key settings include session timeout duration, IP address locking (which prevents a session from being used on a different network), clickjack protection, CSRF (Cross-Site Request Forgery) protection, and the requirement for secure HTTPS connections. These settings form a critical layer of the org's security posture because they control what happens after authentication — even if login security is strong, weak session settings can leave the org vulnerable to session hijacking and other attacks.
As organizations undergo security audits and compliance certifications, Session Settings often become the first area reviewers examine. A 12-hour session timeout might be convenient for users but represents a significant risk if a laptop is left unattended. IP address locking adds protection but can cause issues for mobile users who switch networks frequently. Administrators must balance security with usability, and this requires understanding the trade-offs of each setting. Organizations that leave Session Settings at their defaults are implicitly accepting a risk posture that may not align with their compliance obligations — every setting should be a deliberate choice documented in the security policy.
How Organizations Use Session Settings
- Granite Financial — Granite's security admin tightened Session Settings by reducing the timeout from 12 hours to 2 hours, enabling IP address locking, turning on clickjack protection for all pages, and requiring HTTPS for all sessions. These four changes immediately addressed the top findings from their penetration test and moved them from a failing to passing score on their annual security assessment.
- Trident Healthcare — Trident configured different session timeout values using custom profiles — clinical staff who access patient data get a 30-minute timeout, while marketing users who handle non-sensitive data get a 4-hour timeout. This differentiated approach satisfies HIPAA requirements for clinical users without creating unnecessary friction for teams handling lower-risk information.
- Orbit SaaS Solutions — Orbit's distributed workforce frequently switches between office WiFi, home networks, and mobile hotspots. Enabling IP address locking caused widespread session drops, so they compromised by enabling it only for the admin and finance profiles while leaving it disabled for sales reps. They compensated with shorter timeouts and mandatory MFA to maintain their security posture.