Auto Logout Frustration

Userlevel 3
Is it possible to have a setting for 'keep me logged in' on the portal for monitoring purposes aswell as general admin.
I'm fed up of having to log in every few minutes while administering the site every day.

20 replies

Userlevel 7
Badge +56
Userlevel 7
Badge +56
Good feature request - I'll make sure this one gets seen by our product managers.
This has been my biggest complaint about the product for over a year. I have to login over 20 times a day. Extreamly frustrating!
Userlevel 7
Badge +29
I agree.
My suggestion would be:
An option under admins to set the timeout interval and then a warning pop up to confirm you are still on saying you will be logged out in x minutes.
I have to agree.  The portal is ridiculously to touchy when it comes to being kicked out. I can be reviewing a page and then click on another and be forced to log in again. If I am active, why am I being kicked off.
Userlevel 2
Badge +15
+1 on this. Like many I imagine, I keep the portal up all day on a dedicated screen to review the status at a glance. The single action I take more than any other is logging back in. 
I don't know if the portal auto-refreshes or not. It doesn't really remain logged in long enough to need to. It would be nice if it would remain logged in for a full work day, and auto refesh the dashboard every few minutes. That way a quick look keeps us up to date on whether or not anything needs addressing.
Userlevel 6
Badge +24
Jhartnerd123's suggestion is excellent.  If you are concerned with user security, add a field that we can set regarding idle time logout.  That way, you give us the choice whether to control our security level.
This is driving me a little crazy. I'm trialing your product and your bizarre security is really getting in the way. I have some issues:

1) Use real 2FA. This enter the SECOND and FIFTH character of your code stuff is ludicrous and helps no one. It's just a second, weaker password. You might think it's 2FA, but it isn't. Real 2FA is "something you know" and "something you have". This is just "something you know" times two. Use real 2FA and let me select "remember this device".

2) Don't log me out. You're not helping anyone here. Let me worry about device security. I use password/pins/locks/encryption/fingerprints/2FA to secure my devices. I can remotely wipe. I can remotely disable. I can remotely change passwords and expire sessions. I don't need you to log me out of my antivirus control panel for me.

3) Don't try to be more secure than my email. This is what it boils down to. If you think you're being clever with your security and I can just send a password reset to my phone or Outlook that never logs out of its account, then you've already lost. If I've lost physical control of my devices, the last thing I'm worried about is whether or not someone can view AV reports on your dashboard.

Email is the god account and I protect it appropriately. Don't try to be more clever than Google. Don't try to account for device security, that isn't your job.
+1 for this. Just started using WebRoot, and this is the first complaint I came up with. If you can't give us the option, at least set the timer to 4 hrs, which as I understand it, it used to be.
Made an account here JUST for this.  Constantly being logged out is extremely annoying.  A 'keep me logged in' checkbox would be much appreciated.
Userlevel 1
Badge +8
I'll triple call on this one.
Userlevel 6
Badge +25
All - the TTL has been modified on the GSM console to 90 minutes. It use to be 20 minutes and was recently changed to accomodate. Having a session setting would heavily impact the overall performance across millions of users, so it's not something being considered, as far as I know.
There is another security feature that isn't spoken about much, and that is that if your session presents a different IP address, it will kill the first session forcing you to relogin. This is by design to minimize man-in-the-middle attacks and keep your console secure.
This is usually resolved by contacting your ISP to see if the upstream route is load balancing and sending different IPs. Same with local routing. There are routers that bounce NAT and/or load balance NAT. We've had numerous customers have to address this.
Userlevel 1
Badge +8
How many admins are logged on to a console at any one time. Unless you are also talking about consumers using the same portal as business users? I could see that being an issue. In which case my next thought would be to seperate business admins from consumers.
As far as IP flips, I would think that would be highly unlikely for a business class connection from an ISP. I suppose there might be some less expensive ones that might give you dynamic, but usually you are paying for a fixed IP or range.
And an upstream router should not have any impact on the source IP. So you should not have any issues if you are using source IP to maintain session state, which is sounds like you are doing.
Userlevel 6
Badge +25
? - you'd be surprised at what we've seen in the field. I've had numerous "business class" customers investigate and find a variety of issues that usually turn out to be mistakes, not on purpose, but misconfigured router (upstream or internal), VLAN Trunking, virtual networking and many other potential areas to consider that present variable IPs, mismatched ACK packets etc...  Also, i've had "business users" on their home network that are not always on business class ISP that's not fixed.
Several other potential areas to consider came to mind.
1 - Labtech RMM - there are scenerios where if a user is on the Control Center and use the builtin screen to go to the GSM console, there's an oddity on how the IP is presented. Initial connection uses the hosted server and then switches to the client IP. If they're on different networks, it'll present different IPs every time. (Haven't testeed it on LT11, so could be resolved.)
2 - Same login credentials. We've also seen teams use generic logins "" or "" and when two or more use the same login credentials at the same time, the GSM console will boot one or the other.
3 - Traffic, bandwidth and packet Shaping technology can also create issues.
There's lots of scenerios to look at and consider when sessions aren't staying persistant and our GSM console devs have taken great lengths to insure it's both secure and now has plenty of time to get things done.
Userlevel 1
Badge +8
Thanks for the info.
And thanks for increasing the timeout! That was the most important part of this post.
Will you also be increasing the timout for the WSS portal?
Badge +3
Great to see the helpful information and the request change completed
Userlevel 7
Badge +35
For security reasons a set timeout for the GSM console is an essential feature. We will look to see if we can add a user defined timeout section where each console user can determine the time before the console logs you out after a period of inactivity.

Has there been any progress on this issue?

Badge +8

This is still an annoyance. I really cannot fathom what security hole you think your’e filling by making me log-on every 90 minutes.


Along the same lines, how about a checkbox to register this computer for the MFA code for 30 days?

Userlevel 1
Badge +4

Personally, I think that there should be temporary cookies that stay until you close the browser or a max of 12 hours or something along those lines.  90 minutes is relatively short.  I don’t think that MFA acknowledgment tokens should stay valid any longer than the browser session or max timeout as that is a security feature.

Once Webroot removes the ability to run arbitrary scripts on endpoints, some of these settings can be relaxed, but until then, there does need to be a proper balance between security and ease of use. Having to log back in every 90 minutes is still a bit excessive though.