Skip to content

Settings and activity

2 results found

  1. 1,057 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
    Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
    If we detect there's been no activity on a page (e.g…

    An error occurred while saving the comment
    Mark Baghdassarian commented  · 

    Why is it that Xero does not have an option for those to decide an appropriate time. Alternatively, where the above is NOT possible - Xero desperately needs to extend this out to a minimum 6 hours in my opinion. If anyone is actually worried about their account security where someone physically may access their portal, they can close their own window themselves and choose not to save their password in their browser. Xero you need to change this desperately

  2. 218 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    Mark Baghdassarian commented  · 

    It would be a great option to recognise various end customers through a single primary client (if that makes sense). i.e 'The ABC Fund' CARE OF '123 Pty Ltd'... The DEF Fund' Care of 123 Pty Ltd; So 123 Pty Ltd might have e,g 10+ customers who like to pay their own invoices but id like the invoices all to go and be recorded against 123 Pty Ltd. So my clients are accountants who have multiple smsf trustee clients of their own that they provide to me to audit. The accountants pass the invoices they recieve onto the smsf trustees to pay the audit invoice that i generate, not the accountant. Its common for accountants to have this arrangement in place. But id like to do it with the accountant as the 'care of' client. For this to really work and be effective though means that the Fund name or final recipient would have to be enlarged on the invoice to say 'hey this is for you ultimately' then the accountant would have to drop in significance to say we are in care of this invoice which we will then pass on. A customer through a customer. The current reference on the invoice is not achieving quite the same thing.

    Mark Baghdassarian supported this idea  ·