I have an older Composite App that uses a Web Tab for integration. It is essentially an iframe that passes the current Session ID and Server URL to an external web application in the query string. The external application can then use the session details to integrate back into Salesforce using the various APIs.
This works well, unless the user/admin has checked "Lock sessions to the IP address from which they originated" (under Administration Setup > Security Controls > Session Settings).
From the docs:
Lock sessions to the IP address from which they originated
Determines whether user sessions are locked to the IP address from which the user logged in; helping to prevent unauthorized persons from hijacking a valid session.Note
This may inhibit various applications and mobile devices
Is there any way to white list IP addresses to bypass this setting?
Would switching to a Canvas App with Signed Request work around this issue?
I suspect not, but it is worth checking.
Best Answer
At this stage I think the answer is: No, you can't bypass the "Lock sessions to the IP from which they originated" setting. Having this on essentially disables apps that integrate back into Salesforce using the current users Session Id.
The app would need to establish a separate session using OAuth or stored credentials.
Vote for the Idea: Lock Session Ids - Allow Trusted Networks Access
I'd be more than happy to be proved wrong here.