Skip to content

Settings and activity

4 results found

  1. 118 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    Michael Groves supported this idea  · 
  2. 1,061 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
    Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
    If we detect there's been no activity on a page (e.g…

    An error occurred while saving the comment
    Michael Groves commented  · 

    I'm sorry, but this is an ill-considered position for Xero to take.

    Firstly, there isn't (or certainly shouldn't be) any extra risk to the integrity of the Xero application itself. That sounds like an argument made to suggest that my preferences put other users at risk, which really isn't the case. (If being logged in really puts the Xero application at risk, that means that anyone logged in can do harm to the application. I really hope that isn't the case!)

    The main point, though, is that there is always a trade-off between security and efficiency. But where the optimum trade-off lies depends on individual circumstances. No-one's suggesting a longer idle time across the board. Every user's maximum idle time should be up to the admin of the client organisation to decide, taking into account how accessible the computers are, etc. Some admins might think that forcing a log-off after 20 minutes of idle time is required in their situation. A one-man business working from home might prefer to stay logged in for the whole day.

    Whose interests is Xero acting in, in deciding for me, how long it's safe to be logged in and idle? Not mine! Make it an admin-only user option with a warning. But don't take decisions about MY business, on my behalf, thank you.

    An error occurred while saving the comment
    Michael Groves commented  · 

    Absurd that Xero don't listen to their customers! 10 years on, this "feature" is still imposed on their paying customers.

    As a work-around, this chrome extension allows you to auto refresh xero pages, so the re-login timeout doesn't happen.

    Auto Refresh Plus

    https://chrome.google.com/webstore/detail/auto-refresh-plus-page-mo/hgeljhfekpckiiplhkigfehkdpldcggm

    Michael Groves supported this idea  · 
  3. 11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    Michael Groves commented  · 

    Yes, if the functionality exists, why should all paying subscribers not be able to use it? One of the reasons we started using Xero was so we didn't need to use an external firm of accountants, we do our own accounts in-house.

    Michael Groves supported this idea  · 
  4. 4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    Michael Groves supported this idea  ·