Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g move movements, clicks, keyboard) for 10 minutes you'll receive an inactivity prompt ('Hey Kelly, are you still there?') and if your session reaches 60 minutes you'll be redirected to the login page.
As a suggestion you can periodically refresh the screen <F5> to prevent the security timeout kicking in.
In more recent comments here it sounds like some of you are having issues with the login process or staying logged into Xero for less than 60 minutes. If you're experiencing unexpected behaviour, we'd highly recommend raising a case with our team of specialists at Xero Support where we have tools to investigate and confirm what's going on - Any details you can provide the team on the page you're trying to sign in from (e.g URL, error 500 received) or actions you were making when the login issue occurred will help. Thanks
Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
If we detect there's been no activity on a page (e.g…
I'm afraid that fixing the session automatic expiry to 60 minutes is a very unsatisfactory decision by your product team. Incredible to see that these complaints have been going for years and are still not addressed.
It is incorrect to assume that every user of Xero has exactly the same security requirements. For example I only use it at home as a single user, where no one else has access to the computer, so it's plenty secure even if it stays logged in for days. In contrast, in an open office then of course security is a much more sensitive concern.
Why do you think that gmail lets people stay logged in for days or even weeks? And email is far more sensitive than an accounting platform, because (unless two factor authentication is used) any attacker can click a "Forgot password" button and then a recovery link is sent to the owner's email account which can let the attacker into the recovered account.
It should be up to users to decide what level of security they need, rather than a blanket decision by a product team. By all means impose a maximum session length of a week if you must, but 1 hour is ridiculous.
Adam Spiers
supported this idea
·
I'm afraid that fixing the session automatic expiry to 60 minutes is a very unsatisfactory decision by your product team. Incredible to see that these complaints have been going for years and are still not addressed.
It is incorrect to assume that every user of Xero has exactly the same security requirements. For example I only use it at home as a single user, where no one else has access to the computer, so it's plenty secure even if it stays logged in for days. In contrast, in an open office then of course security is a much more sensitive concern.
Why do you think that gmail lets people stay logged in for days or even weeks? And email is far more sensitive than an accounting platform, because (unless two factor authentication is used) any attacker can click a "Forgot password" button and then a recovery link is sent to the owner's email account which can let the attacker into the recovered account.
It should be up to users to decide what level of security they need, rather than a blanket decision by a product team. By all means impose a maximum session length of a week if you must, but 1 hour is ridiculous.