← Share and support customer ideas for Xero

Settings and activity

Login - Don't Log Me Out/Extend Log Out Time (more than 60 minutes)

1,064 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

403 comments · For small businesses » Settings & user roles · delete… · Admin →

How important is this to you?

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close
Not in pipeline · AdminKelly Munro (Community Manager, Xero) responded
Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g move movements, clicks, keyboard) for 10 minutes you'll receive an inactivity prompt ('Hey Kelly, are you still there?') and if your session reaches 60 minutes you'll be redirected to the login page.

As a suggestion you can periodically refresh the screen <F5> to prevent the security timeout kicking in.

In more recent comments here it sounds like some of you are having issues with the login process or staying logged into Xero for less than 60 minutes. If you're experiencing unexpected behaviour, we'd highly recommend raising a case with our team of specialists at Xero Support where we have tools to investigate and confirm what's going on - Any details you can provide the team on the page you're trying to sign in from (e.g URL, error 500 received) or actions you were making when the login issue occurred will help. Thanks
Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g…
An error occurred while saving the comment

Mark Laforest commented · 23 May, 2024

Was this "idea" was posted by the Xero Team on Sep 6, 2013.. I can see comments from 2+ years ago. If so, we are more than 10 years on and still nuffin! I think we are wasting our time contributing to this thread.

Submitting...

An error occurred while saving the comment

Mark Laforest commented · 19 September, 2022

Such an easy change to do ... c'mon Xero. It can be a parameter per user that the Administrator sets so if you want it open for 8 hours then the Admin user determines the merit of it and sets it per user.
To say Xero makes that determination for all companies because of the sensitive information is a way round of not doing the enhancement.

Submitting...

Mark Laforest supported this idea · 19 September, 2022

Login - Don't Log Me Out/Extend Log Out Time (more than 60 minutes)

We're glad you're here

We're glad you're here