Impact of Session Setting 'Lock Sessions to the domain first used'

Question

We Are looking to enable the Session Setting -> 'Lock Sessions to the domain first used'.

Unlike the other setting where we can restrict user to the original IP address, i am little concerned with this specific setting.

I request for some clarity on this.

What happens when the user tries to use App Exchange products. For Ex -> Oracle CPQ, my understanding is that the Domain does change in the browser. Even for VF Pages, the domain changes compared to the initial login domain.

Any help much appreciated!

Answer 1

When users switch between domains, they get an additional Session Id for that domain, and they are all linked to a Parent Session (but the parent itself does not have a Parent Id).

As an example:

As you can see, four child sessions exist for one parent session. The parent was initiated by the UI, so that's the parent session. Ending that session also ends all child sessions.

With Lock Sessions to the domain first used, each session can only be used for the domain it was issued from. Without this setting, it is possible to, for example, copy an API session Id and use it in the browser, or use the Visualforce trick to get an API-enabled Session Id in Lightning, or even a third-party site that you might send a session Id to through some means (e.g. Postman).

This is a security enhancement that will limit the amount of harm that an exposed session ID can do but will break some kinds of integrations that piggyback off of a different session. In the normal course of UI usage, things like CPQ will still work as long as the user is transferred there from an expected source (e.g. in the UI, clicking on a tab to get to CPQ), but may fail in some rare cases, such as using an extension that logs you in with the API and takes you to CPQ directly.