Skip to content
← For small businesses

Enter your idea

For small businesses: Settings & user roles

Categories

(thinking…)

Login - Don't Log Me Out/Extend Log Out Time (more than 60 minutes)

Develop the feature where Xero doesn't log user out time is extended for more than 60 minutes when it’s idle.

Purpose: Because having to log in again can disrupt users' workflow, which some users had to be interrupted as they’re also taking care of their business at the same time.

1,057 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

AdminXero Team (Admin, Xero) shared this idea  ·   ·  Report…  ·  Admin →
not planned  ·  AdminKelly Munro (Community Manager, Xero) responded  · 

Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g move movements, clicks, keyboard) for 10 minutes you'll receive an inactivity prompt ('Hey Kelly, are you still there?') and if your session reaches 60 minutes you'll be redirected to the login page. 

  • As a suggestion you can periodically refresh the screen <F5> to prevent the security timeout kicking in.

In more recent comments here it sounds like some of you are having issues with the login process or staying logged into Xero for less than 60 minutes. If you're experiencing unexpected behaviour, we'd highly recommend raising a case with our team of specialists at Xero Support where we have tools to investigate and confirm what's going on - Any details you can provide the team on the page you're trying to sign in from (e.g URL, error 500 received) or actions you were making when the login issue occurred will help. Thanks

Show previous admin responses (1)

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Ani Moller commented  ·   ·  Report

    Wow, this is a super annoying (feature) of the system. I totally get it for organisations working in offices where data privacy is critical. But I'm a sole trader and work alone. I would prefer a timeout of 12 hours.

  • Kim White commented  ·   ·  Report

    Has this issue really been going on since 2013 ??
    Xero Team (Admin, Xero) shared this idea
    · Sep 6, 2013 · Report…

    Surely Xero can come up with a better system. I believe user ability to set logout time should be available.

  • Cheryl Watson commented  ·   ·  Report

    Rubbish - its completely unnecessary - no other software for accounting has this !!

  • Cheryl Watson commented  ·   ·  Report

    Need to stop this auto log out after 60 minutes - you keep saying it's for security but if that is the case we can log out ourselves - no other software has this - Its nothing more than a waste of time - we do not sit at our desks every minute of every day and with the app you have to get codes for as well its nothing short of ridicules. If it continues, we will have to change software as all our staff are complaining.

  • Cheryl Watson commented  ·   ·  Report

    Need to stop this auto log out after 60 minutes - you keep saying it's for security but if that is the case we can log out ourselves - no other software has this - Its nothing more than a waste of time - we do not sit at our desks every minute of every day and with the app you have to get codes for as well its nothing short of ridicules. If it continues, we will have to change software as all our staff are complaining.

  • Michael Groves commented  ·   ·  Report

    I'm sorry, but this is an ill-considered position for Xero to take.

    Firstly, there isn't (or certainly shouldn't be) any extra risk to the integrity of the Xero application itself. That sounds like an argument made to suggest that my preferences put other users at risk, which really isn't the case. (If being logged in really puts the Xero application at risk, that means that anyone logged in can do harm to the application. I really hope that isn't the case!)

    The main point, though, is that there is always a trade-off between security and efficiency. But where the optimum trade-off lies depends on individual circumstances. No-one's suggesting a longer idle time across the board. Every user's maximum idle time should be up to the admin of the client organisation to decide, taking into account how accessible the computers are, etc. Some admins might think that forcing a log-off after 20 minutes of idle time is required in their situation. A one-man business working from home might prefer to stay logged in for the whole day.

    Whose interests is Xero acting in, in deciding for me, how long it's safe to be logged in and idle? Not mine! Make it an admin-only user option with a warning. But don't take decisions about MY business, on my behalf, thank you.

  • Trent Firmin commented  ·   ·  Report

    Love this truthful comment so had to repost. XERO What are you doing!! Tsk tsk! Have you forgotten who made you??

    So once again Xero is not listening - they are right and we are wrong and to prove it they will increase their prices

  • Nicole Neale commented  ·   ·  Report

    Seriously! What was the point of the survey? You disrupted everyone's workflow to force them to give you their opinion. Then in true Xero style, you didn't listen to what they had to say and did what you had already decided anyway. Another great way to alienate your customer base. 5 stars for making us feel unheard and unworthy of making our own decisions AGAIN!

  • EMC I.T. Solutions commented  ·   ·  Report

    I'm in IT Security, and this isn't the approach you take (We know better than you) unless you want to alienate your user base and cause general discontent.

    Allow the organization to adjust this between any defined windows of say, 1-240 minutes. This is an risk management decision at an organizational level. Set the default to 60 minutes but allow each ORG to define their own idle timeout policy.

    OR, "lock" the session but don't log it out. I'm sure you're all capable of figuring that out.

    Xero's refusal to listen to your customer's is jarring on this, and the SSO enablement both. For an otherwise great product, it's really frustrating.

  • Amy Hesketh commented  ·   ·  Report

    Session hijacking is a real and serious problem, however there are other ways of dealing with it besides such a strict session timeout. And of course, this doesn't prevent a session hijacking attempt, it just means the window of attack has to be within an hour of signing into Xero. It's extra inconvenient for people who need to sign in sporadically during the day, and the short session is only marginally more secure, it's not like it guarantees security. It should be part of a holistic security and threat detection system. For example, why can't I see active sessions in my account? If my session has been hijacked, where's the list of sessions currently active on my login?

  • Simon Young commented  ·   ·  Report

    So once again Xero is not listening - they are right and we are wrong and to prove it they will increase their prices

← Previous 1 3 4 5 19 20