It is very disappointing that we have all found our way here for the same frustrating reason and nothing has changed.
Edit: I have received a reply from Xero Support:
Unfortunately, we're unable to extend our log-out time past 60 minutes, as we do hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out then you have an infinitely long vulnerability window to session hijacking. The best option is to keep a tight expiration window on the session cookie, and regenerate them frequently.
Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
However it is a priority for us to continually improve the way we handle sessions and session timeouts. We are working on better strategies and looking at changing our authentication model to better cope with session timeouts, browser connection failures and application upgrades.
A suggestion in the meantime would be to regularly save your data and periodically refresh the screen <F5> to prevent the security timeout kicking in.
We would also suggest you tick 'trust this device' if you haven't already.
Carla Risdon
supported this idea
·
It is very disappointing that we have all found our way here for the same frustrating reason and nothing has changed.
Edit: I have received a reply from Xero Support:
Unfortunately, we're unable to extend our log-out time past 60 minutes, as we do hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out then you have an infinitely long vulnerability window to session hijacking. The best option is to keep a tight expiration window on the session cookie, and regenerate them frequently.
Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
However it is a priority for us to continually improve the way we handle sessions and session timeouts. We are working on better strategies and looking at changing our authentication model to better cope with session timeouts, browser connection failures and application upgrades.
A suggestion in the meantime would be to regularly save your data and periodically refresh the screen <F5> to prevent the security timeout kicking in.
We would also suggest you tick 'trust this device' if you haven't already.
Kind regards
Zaheer