Comments on: Salesforce IP checking is a royal PITA

By: Sumanta

Sumanta — Thu, 10 Sep 2009 05:08:51 +0000

HI i am sumanta.I work in Softtrends Software Pvt, Ltd. in Bangalore(India). We have developed one mobileCRM client to access data from Saleforce CRM server. But the problem we are facing is alwyas during login we have supply the security token when calling the Salesforce WebService. So can anyone help me out to give some idea of how to implement the same ip validation based login in device like salesforce does in web browser. I mean what is the technicall proces or what are the WebServcies availbale to do this in device client?

By: Chris

Chris — Mon, 27 Jul 2009 23:29:50 +0000

Is there anything new on this? Having this issue and it’s driving us crazy.

By: Ryan H

Ryan H — Wed, 02 Jul 2008 16:41:39 +0000

I can’t stand this thing – like the majority of features that Salesforce has implemented, it’s completely half-assed. Internally, we call it the ‘Aggravation Link’

By: Blake

Blake — Thu, 26 Jun 2008 20:45:19 +0000

Way late on this, but there’s also a security token inside of salesforce (I believe it’s listed under Security Controls in Setup). If you add this token to the end of your password then it doesn’t matter which IP address you are trying to access it from, you should be able to gain access.

By: Aaron Huslage

Aaron Huslage — Sun, 06 Apr 2008 01:45:04 +0000

Judi. I think it would be ideal for SalesForce to offer a SecurID key or some other hardware/multi-layer password system instead of brute-force IP checking, which is more or less useless from a security standpoint. What you’ve stumbled on is only a minor roadblock for a knowledgeable hacker to get around, as you’ve seen by “hacking” your own account.

By: Judi Sohn

Judi Sohn — Fri, 04 Apr 2008 18:09:19 +0000

Thanks, Kingsley. As I said, I don’t want to disable it. I like that Salesforce has that additional layer security and I want it to make sure I’m me. I just want it to do it in another way than checking my IP address.

By: Kingsley Joseph

Kingsley Joseph — Fri, 04 Apr 2008 18:07:06 +0000

Hey Judi,
That sounds like a presentation nightmare scenario. I’m glad that you solved the problem ingeniously, but I can see how that might have been a *little* awkward.

The IP check (which I’m sure you know is optional and is settable on a per profile basis) is a very useful security device. But it’s definitely better suited to some working styles than others. If you have an idea on how we can make this better for your working requirements, I’d encourage you to post it to the IdeaExchange (http://ideas.salesforce.com), where it can be seen and voted on by other customers. If you do post an idea, please update this post to link to it so your readers can vote on it too.