Products
Solutions
Partners
Resources
Company
Pricing
Log In
Get Started
Issue Solutions

Lock sessions to the domain in which they were first used

Issue: Sessions are not restricted to initiating domain.

Admin Solution

This setting helps prevent unauthorized use of the session ID in another domain. This setting is enabled by default for Salesforce orgs created with the Spring ’15 release or later.

Step 1: Review Session Settings

Start by reviewing your Salesforce org’s session settings to understand the current configuration.

  • Example: Navigate to Setup > Session Settings in Salesforce. Look for settings related to session security, such as “Lock sessions to the IP address from which they originated” and “Enforce login IP ranges on every request”.

Step 2: Enable Strict Domain Restrictions

Ensure that session settings are configured to restrict sessions strictly to the domain from which they were initiated.

  • Example: Enable the setting “Lock sessions to the domain in which they were first used”. This ensures that a session cookie is only sent to the domain where the session was initiated, preventing its use from an unauthorized domain.

Step 3: Configure Trusted IP Ranges

Define trusted IP ranges for your Salesforce org. This restricts login and session continuation only to requests originating from known, safe IP addresses.

  • Example: In Setup > Network Access, add trusted IP ranges that cover your corporate network. This limits access to your Salesforce org’s sessions from within these IPs, enhancing security.

Step 4: Implement Custom Login Flows (if necessary)

For advanced security measures, consider implementing custom login flows that include additional verification steps when a session is initiated from a new domain.

  • Example: Create a custom login flow that triggers a multi-factor authentication (MFA) challenge if a login attempt is detected from a domain or IP address that's not recognized as trusted.

Step 5: Educate Users About Secure Practices

Educate your Salesforce users on the importance of not initiating sessions from untrusted domains and the risks involved.

  • Example: Conduct training sessions or send communications explaining how to identify phishing attempts and the importance of ensuring they are logging in from the official Salesforce domain.

Step 6: Monitor and Audit Session Activity

Regularly monitor and audit session activity for any anomalies or unauthorized access attempts. Salesforce provides tools and reports for tracking session and login activities.

  • Example: Use the Login History report available under Setup to review sessions and identify any access attempts from unexpected domains.

Step 7: Update Security Policies Regularly

Regularly review and update your security policies and settings in response to evolving security threats and changing organizational needs.

  • Example: Schedule quarterly reviews of session settings and trusted IP ranges to adjust for any network changes or updates to security best practices.

By following these steps, Salesforce Admins can enhance the security of their Salesforce org by ensuring that sessions are properly restricted to the initiating domain, significantly reducing the risk of unauthorized access and other security vulnerabilities.

Products
Org Audits
Org Monitoring
Process Discovery
Process Monitoring
Use Cases
Agentforce Implementation
Security Audits
Org Merge Acceleration
Installed Package Accessor
Salesforce Documentation
Service Cloud Transformation
Sales Cloud Transformation
Industries
Salesforce Consultants
Salesforce ISVs
Nonprofits
Private Equity
Business Process Outsourcing (BPOs)
Resources
Hubbl Learning Hub
FAQs
Feature Releases
Contact Support
Company
About Us
Partners
Contact Us
Terms and Conditions
Privacy Policy
Trust Center