Settings and activity
4 results found
-
118 votes
Michael Groves
supported this idea
·
-
1,061 votes
Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g…An error occurred while saving the comment An error occurred while saving the comment Michael Groves
commented
Absurd that Xero don't listen to their customers! 10 years on, this "feature" is still imposed on their paying customers.
As a work-around, this chrome extension allows you to auto refresh xero pages, so the re-login timeout doesn't happen.
Auto Refresh Plus
https://chrome.google.com/webstore/detail/auto-refresh-plus-page-mo/hgeljhfekpckiiplhkigfehkdpldcggm
Michael Groves
supported this idea
·
-
11 votes
An error occurred while saving the comment Michael Groves
commented
Yes, if the functionality exists, why should all paying subscribers not be able to use it? One of the reasons we started using Xero was so we didn't need to use an external firm of accountants, we do our own accounts in-house.
Michael Groves
supported this idea
·
-
4 votesMichael Groves
supported this idea
·
I'm sorry, but this is an ill-considered position for Xero to take.
Firstly, there isn't (or certainly shouldn't be) any extra risk to the integrity of the Xero application itself. That sounds like an argument made to suggest that my preferences put other users at risk, which really isn't the case. (If being logged in really puts the Xero application at risk, that means that anyone logged in can do harm to the application. I really hope that isn't the case!)
The main point, though, is that there is always a trade-off between security and efficiency. But where the optimum trade-off lies depends on individual circumstances. No-one's suggesting a longer idle time across the board. Every user's maximum idle time should be up to the admin of the client organisation to decide, taking into account how accessible the computers are, etc. Some admins might think that forcing a log-off after 20 minutes of idle time is required in their situation. A one-man business working from home might prefer to stay logged in for the whole day.
Whose interests is Xero acting in, in deciding for me, how long it's safe to be logged in and idle? Not mine! Make it an admin-only user option with a warning. But don't take decisions about MY business, on my behalf, thank you.