What is the impact of session setting ‘lock sessions to the domain first used’?
I am trying to activate the session setting ‘lock sessions to the domain first used.’ But I want to know what happens when a user uses App Exchange products like Oracle CPQ. I think the domain does not change in the browser. Also, the domain changes for VF pages compared to the initial login domain.
When users use different domains, they get access to another session Id linked to a Parent Session. There are four child sessions for every parent session. The parent was initiated by UI, which is the Parent session. So, if you end the session, that can also end all the child sessions. In Lock Sessions to the domain in which they were first used, each session can be used for the domain from which it was first used. If you do not have this setting, You can copy an API Session Id to use it in the browser and Visualforce trick, which can lead to getting an API-activated Session Id in Lightning or any third party using which you can send a session Id.
In the ordinary course of UI usage, CPQ can work if the user gets transferred from any known source. But it may fail sometimes. For example, an extension that logs you in with API helps reach CPQ directly.
Answer (1)
The session setting "Lock sessions to the domain first used" in Salesforce is a security feature designed to enhance the protection of user sessions. When this setting is enabled, it has the following impacts:
Increased Security:
Domain Locking: User sessions are restricted to the domain where the session was initially established. This means that if a user logs in from a specific domain (e.g., https://example.my.salesforce.com), their session cannot be reused or hijacked from another domain.
Prevents Session Hijacking: By locking the session to the original domain, it becomes more difficult for attackers to hijack a session by capturing session cookies and trying to use them on a different domain. This mitigates the risk of man-in-the-middle (MITM) attacks and cross-site scripting (XSS) attacks that could exploit session cookies.
User Experience:
Consistent Domain Usage: Users need to consistently use the same domain during their session. If they accidentally switch to a different domain (for example, by following a link to a different Salesforce domain), they will be required to log in again. This could lead to minor inconveniences if users are not aware of the need to stick to one domain.
Potential Reauthentication: Users might experience more frequent prompts to reauthenticate if they switch domains, as the session will not transfer between domains.
Administrative Considerations:
Configuration: Administrators need to ensure that users are aware of the necessity to remain on the same domain during their sessions. Communication and training may be required to prevent confusion.
Compatibility with Integrations: Any integrations or third-party applications that rely on user sessions need to be verified for compatibility with this setting. If integrations redirect users to different domains, they might require adjustments to ensure they work seamlessly with locked sessions.
Operational Impact:
Consistency: Ensuring all links and bookmarks point to the correct domain can prevent disruptions. Administrators should audit and update any hardcoded links or bookmarks that might point users to different domains.
Session Management: This setting might require more careful session management practices, especially in environments with complex domain configurations or multiple Salesforce orgs.
Summary
Enabling "Lock sessions to the domain first used" in Salesforce significantly enhances session security by tying the user session to the domain where it was initiated, thus reducing the risk of session hijacking. However, it also requires careful management and user awareness to prevent inconveniences related to domain switching and reauthentication. Administrators need to ensure that all domain-related configurations and integrations are compatible with this security setting.