Session Timeout
A Salesforce security setting that defines how long a user session can remain inactive before automatically expiring, requiring the user to log in again, configurable in Session Settings for the org and individual profiles.
Definition
A Salesforce security setting that defines how long a user session can remain inactive before automatically expiring, requiring the user to log in again, configurable in Session Settings for the org and individual profiles.
In plain English
“Session Timeout is a Salesforce security setting that defines how long a user session can sit idle before it expires and requires re-login. You configure it in Session Settings in Setup, and it's part of your org's security posture.”
Worked example
Saxon Financial - a securities trading firm regulated under FINRA - sets the Session Timeout in Setup → Session Settings to 15 minutes idle, and 30 minutes maximum even with activity. When a trader steps away from her desk to grab coffee, her Salesforce session expires before she returns; she logs back in via SSO and her work continues, but a stranger walking by can't see customer account positions because the screen has already locked. Compliance audits the Session Timeout setting quarterly as part of the firm's controls; without an enforced short timeout, FINRA would flag the access controls as inadequate.
Why Session Timeout matters
Session Timeout is a Salesforce security setting that defines how long a user session can remain inactive before automatically expiring, requiring the user to log in again, configurable in Session Settings in Setup. Shorter timeouts improve security (less risk from abandoned sessions) but can inconvenience users who step away briefly.
Session timeout is a balance between security and usability. Very short timeouts (15 minutes) are more secure but frustrate users. Very long timeouts (8 hours) are convenient but risky if someone walks away from an unlocked computer. Mature orgs choose timeouts based on their security requirements and user work patterns, often with different settings for different environments.
How organizations use Session Timeout
Configures short session timeouts for compliance with security policies.
Balances timeout settings between security requirements and user convenience.
Documents timeout settings as part of security configuration governance.
Test your knowledge
Q1. What is Session Timeout?
Q2. What's the trade-off?
Q3. Where is it configured?
Discussion
Loading discussion…