You need to sign in to do that
Don't have an account?
Starting November 20, the site will be set to read-only.
On December 4, 2023,
Apex Code Development (90768)
General Development (55146)
Visualforce Development (37251)
Lightning (18265)
APIs and Integration (17146)
Trailhead (11680)
Formulas & Validation Rules Discussion (11337)
Other Salesforce Applications (8116)
Jobs Board (6655)
Force.com Sites & Site.com (4842)
Mobile (2694)
You need to sign in to do that
Don't have an account?
I'm looking mostly about user authentication with custom built applications (WIL).
Client applications must log in using valid credentials for a salesforce.com account. The sforce server authenticates these credentials and, if valid, provides the client application.
Looking for documented secuirity information around this. If we create custom app accessible via WIL, how can one guarantee secuirty and if there are any security loopholes. The session ID does expire after 2 hours
While it is true that a specific SessionID does expire after 2 hours (by default) it can be used in conjunction with the UI to generate more SessionIDs seemingly for an unlimited duration. (I'd actually expect that not to be the case, but 24 hours for certain.) Case in point, if your SessionID gets compromised an attacker can use that SessionID, passed to frontdoor.jsp, and will get another, new, SessionID. That ID will be valid for 2 hours, and the UI will refresh it and issue another one half way before it expires. (Give or take a bit)
In short, SessionIDs should never be transmitted in the clear. Unless you need to, use the security settings in the UI to lock SessionIDs to the IP address they were created with. Lastly, if your users are to only use the application from specific locations limit their access to those IP addresses.
This sounds like a security flaw?
I think daroz's guidance makes sense - always useful to know what additional measures (such as IP lockdown) are available to your orgs.