I see these two settings in the session settings and I understand the basic use of it.
Lock sessions to the IP address from which they originated
Enforce login IP ranges on every request
To me, it seems Lock sessions to the IP address from which they originated is redundant and not required when you enable Enforce login IP ranges on every request because Salesforce checks the IP on every request. Trying to understand when we should enable both settings. would apprecaite any insight?
Thanks.
Best Answer
They have different meanings. From this doc:
Lock sessions to the IP address from which they originated
Enforce login IP ranges on every request
This means that the first setting will stop a potentially malicious user from using a sessionId to access SFDC from an IP address that is not the one from where the SessionID was originated (i.e.: log in).
The second setting, however, will restrict you from calling SFDC to the IP ranges specified. But there is nothing to stop another user in the same IP range to use a session that you opened (that's what the first setting is for). Depending on your whitelisting ranges, this could be a rather large problem, or an edge case.