Skip to content
← For small businesses

Enter your idea

For small businesses: Settings & user roles

Categories

(thinking…)

Login - Don't Log Me Out/Extend Log Out Time (more than 60 minutes)

Develop the feature where Xero doesn't log user out time is extended for more than 60 minutes when it’s idle.

Purpose: Because having to log in again can disrupt users' workflow, which some users had to be interrupted as they’re also taking care of their business at the same time.

1,057 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

AdminXero Team (Admin, Xero) shared this idea  ·   ·  Report…  ·  Admin →
not planned  ·  AdminKelly Munro (Community Manager, Xero) responded  · 

Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g move movements, clicks, keyboard) for 10 minutes you'll receive an inactivity prompt ('Hey Kelly, are you still there?') and if your session reaches 60 minutes you'll be redirected to the login page. 

  • As a suggestion you can periodically refresh the screen <F5> to prevent the security timeout kicking in.

In more recent comments here it sounds like some of you are having issues with the login process or staying logged into Xero for less than 60 minutes. If you're experiencing unexpected behaviour, we'd highly recommend raising a case with our team of specialists at Xero Support where we have tools to investigate and confirm what's going on - Any details you can provide the team on the page you're trying to sign in from (e.g URL, error 500 received) or actions you were making when the login issue occurred will help. Thanks

Show previous admin responses (1)

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Mark Laforest commented  ·   ·  Report

    Was this "idea" was posted by the Xero Team on Sep 6, 2013.. I can see comments from 2+ years ago. If so, we are more than 10 years on and still nuffin! I think we are wasting our time contributing to this thread.

  • Accounts Users commented  ·   ·  Report

    I would hope most sensible adults, would choose to log out if they are not monitoring Xero for a long period. Otherwise it is a pain to keep logging back in when you are sitting in front of your PC working

  • Tim Newman commented  ·   ·  Report

    I understand the reason given by Xero was sensitive data*, so how about something easier like a 4 digit pin?

    *lots of people use computers in secure locations that no-one unauthorised access to, bit of a stupid reason to take everyone's ability to choose away.

  • Angela Taylor commented  ·   ·  Report

    Would greatly appreciate more flexibility with extending the LogOut times - see below for all the reasons why. Understand if busy environment but I work from home, on my own, and want to use Xero throughout the day and still have to log on regularly throughout the day. Please look into this for your community.

  • Oliver Dennis commented  ·   ·  Report

    This needs to be fixed unfortunatley xero tech are not very good and don't know or care on a resolution for this constant customer complaint.The CEO of xero just wants them signed up and after that the tech's all told to ignore this constant request. as xero don't know how to fix it.

  • Justine Hansen commented  ·   ·  Report

    Highly dispruptive - especially for those of us who work with multiple tabs open for efficiency. And especially unnecessary for those of us who work at our own computer in a secure office. Please offer more choice around this and less nannying!!

  • Transcom Industries Ltd commented  ·   ·  Report

    Looks like from the comments below that I'm not the only person complaining about having to log in many times a day.

    Please extend the time from 60mins. It is very annoying having to keep logging in.

  • Clive Menkin commented  ·   ·  Report

    come on Xero - it is time to fix this! or you just don't care about your users.

  • Kevin Holland commented  ·   ·  Report

    Its utterly infuriating but Xero will not action anything - requirements and suggestions just sit idly here for years with no action. This request is 10 years old FFS!

  • Eugene Ng commented  ·   ·  Report

    Actually we are issued individual laptop and it is already with password /fingerprint unlock and auto lock after inactive 30min (i will also auto lock once i going to left my work desk for slightly longer time). I think most website will also prompt and click to stay login instead of requesting us to manual key the password again. What is the point in requesting for us to manual key in the password when we already saved the password inside the laptop for easy login? I close the xero tab and reopen and it is auto login so why request for us to manual type password?

  • Kim Badger commented  ·   ·  Report

    I think the user or business should be able to choose this level of security and not have it imposed on them. If they are aware of the risks, they should be able to still choose to keep logged in.

  • John Fraser commented  ·   ·  Report

    Agree with comments. Logging out after one hour is disruptive as we use Xero to create invoices for sales and these often have intervals greater than one hour.

  • Adam Spiers commented  ·   ·  Report

    I'm afraid that fixing the session automatic expiry to 60 minutes is a very unsatisfactory decision by your product team. Incredible to see that these complaints have been going for years and are still not addressed.

    It is incorrect to assume that every user of Xero has exactly the same security requirements. For example I only use it at home as a single user, where no one else has access to the computer, so it's plenty secure even if it stays logged in for days. In contrast, in an open office then of course security is a much more sensitive concern.

    Why do you think that gmail lets people stay logged in for days or even weeks? And email is far more sensitive than an accounting platform, because (unless two factor authentication is used) any attacker can click a "Forgot password" button and then a recovery link is sent to the owner's email account which can let the attacker into the recovered account.

    It should be up to users to decide what level of security they need, rather than a blanket decision by a product team. By all means impose a maximum session length of a week if you must, but 1 hour is ridiculous.

  • Kevin Rudd commented  ·   ·  Report

    I dont remember this being an issue a few years ago but not with multi organisations on a single login it is even more frustrating. Each time get logged out due to "inactivity" i need to then go and navigate back to where it kicked me out from. at least let us log back into the same screen.

  • Mike Knobloch commented  ·   ·  Report

    I find this extremely frustrating - especially if I have several windows open at the same time.

  • Mark Baghdassarian commented  ·   ·  Report

    Why is it that Xero does not have an option for those to decide an appropriate time. Alternatively, where the above is NOT possible - Xero desperately needs to extend this out to a minimum 6 hours in my opinion. If anyone is actually worried about their account security where someone physically may access their portal, they can close their own window themselves and choose not to save their password in their browser. Xero you need to change this desperately

1 2 15 17 19 20