mike160304's avatar
mike160304
Collaborator | Level 9
2 months ago
Status:
Gathering Support

Automatically sign out of Dropbox on the site after a specific amount of time

At the moment, if I hang about or leave, Dropbox seems to keep me signed in, which is, for me, an unnecessary security risk. Surely a lot of people would dislike this, if they thought about it?

There should be an option in Settings to log me off if I am inactive for a set length of time, or if I leave.

Could you please look at this?

Regards,

Mike160304

  • WoofGrrrr's avatar
    WoofGrrrr
    Helpful | Level 6

    I opened a similar request (www . dropboxforum . com / idea / 101002013/ allow-the-invoice-page-to-timeout-on-the-dropbox-site / 815976) after I noticed that one of my INVOICES just sat there and kept on showing my personal information - with no close button - as I mentioned two days ago.   I got a very dismissive response, after which the request was promptly closed.  I hadn't even noticed that the entire WEB SITE itself was not TIMING OUT.

    The response basically told me to manually un-check the "Remember Me" checkbox at login, then I have to always manually logout or close the page -- NO, THE BROWSER.  Or maybe I need to somehow remember that the web site has opened other pages - TABS, ACTUALLY - that are buried amongst the various tabs in my browser and manually close all of them too. 

    And since the topic is Closed, I cannot respond.

    I'm sorry, but this just does not cut it.  This kind of behavior makes me think that maybe it's time to move to another cloud storage solution.  I mean, Dropbox is the NOT only one anymore.  Not for a long time.

    "The first step in security is you."  Really???  I am not a newbie.  I am a retired web site developer.

    Browser Login Session Time Outs have been a thing for years, DECADES.

    If a web site has a "Keep me Logged In" - or similar - when I login, that's fine.  It is very clear what the consequences are.  But to do it by default.  No.

    And every other web site I have ever used that has some form of "Remember me" merely pre-fills my Login ID the next time I login.  It does NOT keep me logged in.

    And to expect me to manually delete the web site's cookies???

    And then this:  "even an automatic timeout wouldn't be enough to protect your account if you just walk away from the computer while still signed in."

    Not true.  I can list MANY web sites that use login session time outs that clear all personal data from their pages when your session times out.

    Just after I got the response, I logged out of dropbox.com, closed my browser, and logged back in, making sure that the Remember Me checkbox was NOT checked.  Then I brought up a receipt, which opened in another Tab.  Those two tabs have been just sitting there for over an hour.

    So it's clear that dropbox.com isn't using browser login session time outs. And that the "Remember Me" checkbox has nothing to do with that.

    • WoofGrrrr's avatar
      WoofGrrrr
      Helpful | Level 6
      WoofGrrrr wrote:

      MANY web sites that use login session time outs that clear all personal data from their pages when your session times out.

      I'm sorry, I misspoke (mis-typed?)  Because, actually, browser session timeouts are not enough. 

      In order to get all pages for a web site to handle the end of a login session, the pages must use some type of asynchronous technology that causes code in the pages to run, which clears the information on the page. 

      Many web sites do this.  Thank goodness all the banking, credit card, and health care web sites that I use do it.

      That Dropbox does not do it gives me great pause.  If a user fails to logout and close all pages or tabs (or close the browser app,)  all the files in their dropbox are there for anyone to see.

  • WoofGrrrr's avatar
    WoofGrrrr
    Helpful | Level 6

    I noted recently that the Payment Invoice page never did anything to hide my personal information after a period of inactivity.  I hadn't noticed that the ENTIRE Web Site had no Login Session Time Out until someone pointed it out when I reported this problem with the Invoice Page.

    Exposing my personal information like this is a HUGE Security Problem!

    "Remember Me" should only remember your Login Name and pre-fill it when you come back to the site to login - as almost every other web site I have ever used does it - but NOT keep the Login Session alive... FOREVER. 

  • Rich's avatar
    Rich
    Icon for Super User II rankSuper User II
    mike160304 wrote:

    There should be an option in Settings to log me off if I am inactive for a set length of time, or if I leave.

    Uncheck the Remember Me option when signing in, and you'll be signed out as soon as you close the browser window.

  • Jay's avatar
    Jay
    Icon for Dropbox Staff rankDropbox Staff
    Status changed:
    New
    to
    Gathering Support

    This idea is open. 

     

    If you like this idea, please share how this would help you, and vote to show your support. 

     

    Our top-voted ideas are shared with our product teams to investigate in our regular reviews.