Login - Don't Log Me Out/Extend Log Out Time (more than 60 minutes)
Develop the feature where Xero doesn't log user out time is extended for more than 60 minutes when it’s idle.
Purpose: Because having to log in again can disrupt users' workflow, which some users had to be interrupted as they’re also taking care of their business at the same time.
![](https://secure.gravatar.com/avatar/3e8620417a8479ef69d5350df419cb19?size=40&default=https%3A%2F%2Fassets.uvcdn.com%2Fpkg%2Fadmin%2Ficons%2Fuser_70-6bcf9e08938533adb9bac95c3e487cb2a6d4a32f890ca6fdc82e3072e0ea0368.png)
Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g move movements, clicks, keyboard) for 10 minutes you'll receive an inactivity prompt ('Hey Kelly, are you still there?') and if your session reaches 60 minutes you'll be redirected to the login page.
- As a suggestion you can periodically refresh the screen <F5> to prevent the security timeout kicking in.
In more recent comments here it sounds like some of you are having issues with the login process or staying logged into Xero for less than 60 minutes. If you're experiencing unexpected behaviour, we'd highly recommend raising a case with our team of specialists at Xero Support where we have tools to investigate and confirm what's going on - Any details you can provide the team on the page you're trying to sign in from (e.g URL, error 500 received) or actions you were making when the login issue occurred will help. Thanks
-
Michael Groves commented
I'm sorry, but this is an ill-considered position for Xero to take.
Firstly, there isn't (or certainly shouldn't be) any extra risk to the integrity of the Xero application itself. That sounds like an argument made to suggest that my preferences put other users at risk, which really isn't the case. (If being logged in really puts the Xero application at risk, that means that anyone logged in can do harm to the application. I really hope that isn't the case!)
The main point, though, is that there is always a trade-off between security and efficiency. But where the optimum trade-off lies depends on individual circumstances. No-one's suggesting a longer idle time across the board. Every user's maximum idle time should be up to the admin of the client organisation to decide, taking into account how accessible the computers are, etc. Some admins might think that forcing a log-off after 20 minutes of idle time is required in their situation. A one-man business working from home might prefer to stay logged in for the whole day.
Whose interests is Xero acting in, in deciding for me, how long it's safe to be logged in and idle? Not mine! Make it an admin-only user option with a warning. But don't take decisions about MY business, on my behalf, thank you.
-
Trent Firmin commented
Love this truthful comment so had to repost. XERO What are you doing!! Tsk tsk! Have you forgotten who made you??
So once again Xero is not listening - they are right and we are wrong and to prove it they will increase their prices
-
Nicole Neale commented
Seriously! What was the point of the survey? You disrupted everyone's workflow to force them to give you their opinion. Then in true Xero style, you didn't listen to what they had to say and did what you had already decided anyway. Another great way to alienate your customer base. 5 stars for making us feel unheard and unworthy of making our own decisions AGAIN!
-
EMC I.T. Solutions commented
I'm in IT Security, and this isn't the approach you take (We know better than you) unless you want to alienate your user base and cause general discontent.
Allow the organization to adjust this between any defined windows of say, 1-240 minutes. This is an risk management decision at an organizational level. Set the default to 60 minutes but allow each ORG to define their own idle timeout policy.
OR, "lock" the session but don't log it out. I'm sure you're all capable of figuring that out.
Xero's refusal to listen to your customer's is jarring on this, and the SSO enablement both. For an otherwise great product, it's really frustrating.
-
Amy Hesketh commented
Session hijacking is a real and serious problem, however there are other ways of dealing with it besides such a strict session timeout. And of course, this doesn't prevent a session hijacking attempt, it just means the window of attack has to be within an hour of signing into Xero. It's extra inconvenient for people who need to sign in sporadically during the day, and the short session is only marginally more secure, it's not like it guarantees security. It should be part of a holistic security and threat detection system. For example, why can't I see active sessions in my account? If my session has been hijacked, where's the list of sessions currently active on my login?
-
Simon Young commented
So once again Xero is not listening - they are right and we are wrong and to prove it they will increase their prices
-
Chitra Mani commented
No
-
Michael Ahern commented
no
-
Dave Morgan commented
#@'! I just want to get my friggen' work done!!
-
Laurie Musgrave commented
annoying!!!
-
Ian Bassola commented
No
-
Veer Malik commented
no
-
rachel staples commented
No
-
rizwan sally commented
Ok
-
Gena Smith commented
It is very annoying
-
Matthew Purcell commented
No
-
Jenny Khan commented
All i want to do is log on and get my work done
-
Piero Palazzolo commented
It is extremely annoying to log in regularly during the day and time wasting owing to the time outs done by the system
-
Trish Smart commented
Not interested
-
Menashe Salomon commented
I'm not interested in this survey!!
Why do you blocked my page?