Skip to content

Settings and activity

1 result found

  1. 1,061 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
    Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
    If we detect there's been no activity on a page (e.g…

    An error occurred while saving the comment
    Amy Hesketh commented  · 

    Session hijacking is a real and serious problem, however there are other ways of dealing with it besides such a strict session timeout. And of course, this doesn't prevent a session hijacking attempt, it just means the window of attack has to be within an hour of signing into Xero. It's extra inconvenient for people who need to sign in sporadically during the day, and the short session is only marginally more secure, it's not like it guarantees security. It should be part of a holistic security and threat detection system. For example, why can't I see active sessions in my account? If my session has been hijacked, where's the list of sessions currently active on my login?

    Amy Hesketh supported this idea  ·