Auto sign out from cloud server

Dear @lubos

I observe that on cloud server… Once I login it will be logged in forever.

If there is a chance to expire the login token every 24hrs or everyday then that would be more secure.

Sometimes we forget to sign out during weekends or in some other scenarios.

1 Like

How about adding Remember me checkbox to login screen? If you close web-browser, that would log you out if Remember me checkbox was unchecked during login. Would that work?

1 Like

That might work… But

More secure way I feel mandatory logout for every 24hrs…

This practice is good for any company I feel

If we show , Remember me option…
Most of the employees or employers will start using it and that’s what already happening now without remember me option

@lubos I am curious as to your reasoning why you believe it is desirable to have an always logged in design concept. I feel that this makes any website service far less secure. People should be required to log in after 30 minutes of inactivity time in my opinion.

1 Like

I actually don’t have strong opinion on this but always logged in seems to be what the biggest websites are doing. E.g. Gmail.

I agree with Gmail,
It has different kinds of verification methods

When I travel , Gmail will always ask me to login again and ask me for some kind of verification methods

And
I also don’t agree with Gmail also mainly on desktop for continuous login option

But I don’t feel secure with manager application if it’s having continuous login
Maybe because accounting should be more secure in my view

I can’t help wondering if this always logged on system is behind the rise of email breaches with systems like Office 365 as it’s now possible for a hacker to remain logged in for days even after a password change! I don’t know.

I am strongly opppsed to forced logouts because Idon’t think forced loggouts are going to improve manager. It’s going to ruin the experience, unless it’s left to the user to set the connection parameters, which would be great.

Not everyone has the same priorities with respect to security vs efficiency.

Forced logouts means more logins means less work time, more forgetting of password, more time the user spends with our IT guys … etc.

Personally I value efficiency over security for everything other than my bank login details. In fact I have never used an antivirus on windows for about 20+ years now.

You can view the sessions for every administrator account and log them out.

Imo, forced logout deal will only help when someone temporarily forgets his laptop logged in in an unattended place and someone else takes advantage.
And to be honest, most of us work in closed offices so that’s not really an issue, unless the hacker physically breaks in to our office, in that case permanent login is the least of our problems.

However, I can still see some room for more global security settings. Like, a global view for sessions, “close all sessions” button, lock accounts and send password reset instruction by email and most importantly a superuser account to be activated from control panel only.

BTW, I am not a fan of change passwords every so abd so days, and this is my opposition to that even before someone else suggested it :grin:

Everyone will have different preferences…

In your explanation I feel like why to use passwords for computers ?.. Why can’t I lock office doors so no one can break in

As you said, forced logout will be helpful when left in unattended place or when shifts are changed between employees .
Or last week I forgot my phone in a city, lucky I use phone fingerprint lock. What if I don’t use any lock for my phone ?

So many different scenarios can happen
So why can’t manager itself helps us in getting better secure option

:grin:

An administrator setup parameter is my preference.

The reason is the ideal depends on the physical work environment. With high physical security and the Manager user accessing Manager intermittently, auto logout is a significant retrograde step.

In contrast in a high turnover shared office environment, a short auto logout would be a helpful feature.

I use Manager Server edition, so personally I could not care less as the issue does not affect me.

I just commented on the issue, because breaches are becoming ever increasingly more and more common - granted usually Office 365 breaches etc. So security is vital to protect our data. I would however concur with @Patch that the physical work environment would be a relevant factor here.

However, at the very least I would recommend an auto sign out after 4 hours of no activity as most likely you will have gone home or be asleep in bed with a delay that long. I can’t see any reason for a permanent login. Also how does the cloud update if you never logout?