Session settings
There are various features that can be sued to set the session as per the following sections.
Lock sessions to the IP address from which they originated
The Lock sessions to the IP address from which they originated option is used to specify whether users' sessions are to be locked to the IP address with which they logged in.
Require secure connections (HTTPS)
The Require secure connections (HTTPS) option sets whether HTTPS (instead of the less secure HTTP connection) is required to access Salesforce.
Force relogin after Login-As-User
The Force relogin after Login-As-User option, when set, results in you having to log in again to get back into Salesforce after logging out as a logged-in user. When this is not set, you are taken to the original session after logging out as the logged-in user, and you do not have to re-log in.
Require HttpOnly attribute
The Require HttpOnly attribute option restricts access to the session ID cookies. The effect of this is that cookies with the HttpOnly attribute are not accessible using non-HTTP calls such as JavaScript methods from custom or packaged applications.
Use POST requests for cross-domain sessions
The Use POST requests for cross-domain sessions option configures the organization to send session information using a POST request instead of a GET request during cross-domain exchanges, such as when calling a Visualforce page that is served on a different URL to the standard Salesforce CRM pages.