+ Start a Discussion
XeroxXerox 

Can your session id be used by another client?

When logging in to salesforce.com you are assigned a session id. What is preventing the session id from being "stolen" and used by another client? How does salesforce secure the session?

 

Thanks.

DevAngelDevAngel

Hi Xerox,

The sessionid can be used by another user if they can get a hold of it.  This is one reason why we stress SSL.  Certainly if you have some malicious spy ware running on you computer you might expose that session id unwittingly.

You can reduce this risk by setting tighter security in salesforce.com by binding session ids to the ip address that requested it initially.

XeroxXerox
Very useful, thanks for the info!
JoyceJoyce

This is a security issue. Has there been fixes to this?

How do you the IP address to the sessionID, if we are using a WIL?  That is nont one of the merge fields.

DevAngelDevAngel

Hi Joyce,

You can specify for any profile the valid IP addresses from which they can access salesforce.com.  If you have a WIL that runs code on one of your servers, you would inlcude the ip address from that server (if you are behind a proxy or firewall it would be the public ip address of that proxy or firewall).  You can enter more than one range of ip addressess for any profile.

Does this talk to your concern?

darozdaroz


DevAngel wrote:

Hi Joyce,

You can specify for any profile the valid IP addresses from which they can access salesforce.com. If you have a WIL that runs code on one of your servers, you would inlcude the ip address from that server (if you are behind a proxy or firewall it would be the public ip address of that proxy or firewall). You can enter more than one range of ip addressess for any profile.

Does this talk to your concern?





I haven't tested it, but if I wanted to allow 24.0.0.0/8 as a netblock access, would the range check allow 24.0.0.0 thru 24.255.255.255 as valid? Or is it restricted to Class C addresses only in the range?
SuperfellSuperfell
24.0.0.0 through 24.255.255.255 will work fine.
JoyceJoyce
My WIL runs on an external server.
DevAngelDevAngel

Hi Joyce,

Yup, I see the issue.  Running on an external server is kind of a security risk itself, isn't it?

Having the embedded ip address in the session id doesn't work for the external server scenario either.  I think that session ids need to be considered with the same security concerns as a user name and password.  All the same precautions that you take to protect those should also be applied to a session id.  This means not using a public keosk, always use ssl in weblinks, never cut and paste the id into another application or document that might persist in the clear, etc.

Following these guidlines should provide the best protection and yet still allow for the functionality in the infamouse trade off between usability and security.