To improve security, in Winter ’25, users can no longer log in to Salesforce by passing a username and password as URL query string parameters in the login URL, also known as forced login. This change will break implementations and third-party integrations that use a forced login via a URL, as well as direct login (autologin) links. To avoid service disruptions, update integrations that use forced login.
Where: This change applies to Lightning Experience (not available in all orgs) and Salesforce Classic in all editions.
When: This change takes effect in Winter ’25.
Why: In the Spring ’22 release, Salesforce enforced a release update that disabled the ability for users to log in using their credentials, but some orgs are still using this feature. With this change, forced login is permanently disabled in all orgs.
How: To prepare for the change, first review org usage of forced login. From Setup, in the Quick Find box, enter Login History, and then select Login History. View and download your org’s login history for the past 6 months. Review the HTTP method column. If the HTTP method is GET, and there’s no entry for Login Subtype, it indicates that users are using forced login.