salesforce_security_impl_guide
salesforce_security_impl_guide
salesforce_security_impl_guide
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring Salesforce Security Features<br />
Setting Session Security<br />
Field<br />
Lock sessions to the IP address<br />
from which they originated<br />
Description<br />
Determines whether user sessions are locked to the IP address from which<br />
the user logged in; helping to prevent unauthorized persons from hijacking<br />
a valid session.<br />
Note: This may inhibit various applications and mobile devices.<br />
Require secure connections<br />
(HTTPS)<br />
Determines whether HTTPS is required to log in to or access Salesforce, apart<br />
from Force.com sites, which can still be accessed using HTTP.<br />
This option is enabled by default for <strong>security</strong> reasons.<br />
Note: The Resetting Passwords for Your Users page can only be<br />
accessed using HTTPS.<br />
Force relogin after Login-As-User<br />
Require HttpOnly attribute<br />
Determines whether an administrator who is logged in as another user is<br />
returned to their previous session after logging out as the secondary user.<br />
If the option is enabled, an administrator must log in again to continue using<br />
Salesforce after logging out as the user; otherwise, the administrator is returned<br />
to the original session after logging out as the user. This option is enabled by<br />
default for new organizations beginning with the Summer ‘14 release.<br />
Restricts session ID cookie access. A cookie with the HttpOnly attribute is not<br />
accessible via non-HTTP methods, such as calls from JavaScript.<br />
Note: If you have a custom or packaged application that uses<br />
JavaScript to access session ID cookies, selecting Require<br />
HttpOnly attribute breaks your application because it denies<br />
the application access to the cookie. The Developer Console and AJAX<br />
Toolkit debugging window are also not available if the Require<br />
HttpOnly attribute is selected.<br />
Use POST requests for<br />
cross-domain sessions<br />
Sets the organization to send session information using a POST request, instead<br />
of a GET request, for cross-domain exchanges, such as when a user is using a<br />
Visualforce page. In this context, POST requests are more secure than GET<br />
requests, because POST requests keep the session information in the body of<br />
the request. However, if you enable this setting, embedded content from<br />
another domain, such as:<br />
<br />
might not display.<br />
Enable caching and password<br />
autocomplete on login page<br />
Enable SMS-based identity<br />
confirmation<br />
Allows the user’s browser to store usernames. If enabled, after an initial log<br />
in, usernames are auto-filled into the User Name field on the login page.<br />
This preference is selected by default and caching and autocomplete are<br />
enabled.<br />
Enables users to receive a one-time PIN delivered via SMS. Once enabled,<br />
administrators or users must verify their mobile phone number before taking<br />
advantage of this feature. This setting is selected by default for all organizations.<br />
84