[SalesForce] Session Settings

I see these two settings in the session settings and I understand the basic use of it.

Lock sessions to the IP address from which they originated

Enforce login IP ranges on every request

To me, it seems Lock sessions to the IP address from which they originated is redundant and not required when you enable Enforce login IP ranges on every request because Salesforce checks the IP on every request. Trying to understand when we should enable both settings. would apprecaite any insight?

Thanks.

Best Answer

They have different meanings. From this doc:

Lock sessions to the IP address from which they originated

Determines whether user sessions are locked to the IP address from which the user logged in, helping to prevent unauthorized persons from hijacking a valid session.

Enforce login IP ranges on every request

Restricts the IP addresses from which users can access Salesforce to only the IP addresses defined in Login IP Ranges. If this setting is enabled, login IP ranges are enforced on each page request, including requests from client applications. If this setting isn’t enabled, login IP ranges are enforced only when a user logs in. This setting affects all user profiles that have login IP restrictions.

This means that the first setting will stop a potentially malicious user from using a sessionId to access SFDC from an IP address that is not the one from where the SessionID was originated (i.e.: log in).

The second setting, however, will restrict you from calling SFDC to the IP ranges specified. But there is nothing to stop another user in the same IP range to use a session that you opened (that's what the first setting is for). Depending on your whitelisting ranges, this could be a rather large problem, or an edge case.

Best Answer

Related Solutions

[SalesForce] When do Sessions expire

[SalesForce] Composite App integration and “Lock sessions to the IP address from which they originated”

Related Topic