This setting helps prevent unauthorized use of the session ID in another domain. This setting is enabled by default for Salesforce orgs created with the Spring ’15 release or later.
Step 1: Review Session Settings
Start by reviewing your Salesforce org’s session settings to understand the current configuration.
- Example: Navigate to Setup > Session Settings in Salesforce. Look for settings related to session security, such as “Lock sessions to the IP address from which they originated” and “Enforce login IP ranges on every request”.
Step 2: Enable Strict Domain Restrictions
Ensure that session settings are configured to restrict sessions strictly to the domain from which they were initiated.
- Example: Enable the setting “Lock sessions to the domain in which they were first used”. This ensures that a session cookie is only sent to the domain where the session was initiated, preventing its use from an unauthorized domain.
Step 3: Configure Trusted IP Ranges
Define trusted IP ranges for your Salesforce org. This restricts login and session continuation only to requests originating from known, safe IP addresses.
- Example: In Setup > Network Access, add trusted IP ranges that cover your corporate network. This limits access to your Salesforce org’s sessions from within these IPs, enhancing security.
Step 4: Implement Custom Login Flows (if necessary)
For advanced security measures, consider implementing custom login flows that include additional verification steps when a session is initiated from a new domain.
- Example: Create a custom login flow that triggers a multi-factor authentication (MFA) challenge if a login attempt is detected from a domain or IP address that's not recognized as trusted.
Step 5: Educate Users About Secure Practices
Educate your Salesforce users on the importance of not initiating sessions from untrusted domains and the risks involved.
- Example: Conduct training sessions or send communications explaining how to identify phishing attempts and the importance of ensuring they are logging in from the official Salesforce domain.
Step 6: Monitor and Audit Session Activity
Regularly monitor and audit session activity for any anomalies or unauthorized access attempts. Salesforce provides tools and reports for tracking session and login activities.
- Example: Use the Login History report available under Setup to review sessions and identify any access attempts from unexpected domains.
Step 7: Update Security Policies Regularly
Regularly review and update your security policies and settings in response to evolving security threats and changing organizational needs.
- Example: Schedule quarterly reviews of session settings and trusted IP ranges to adjust for any network changes or updates to security best practices.
By following these steps, Salesforce Admins can enhance the security of their Salesforce org by ensuring that sessions are properly restricted to the initiating domain, significantly reducing the risk of unauthorized access and other security vulnerabilities.
