We've implemented a feature on our website that allows our users to disable auto-logout for extended periods (please note this does not apply to logins on a mobile).
This is helpful for users who always have an eye on the exchange, it allows them to:
- Keep VALR open for frequent trading
- Not have to worry about re-entering password regularly during the day
However, there are risks associated with disabling auto-logout. In short, the longer a user is logged in, the more time an attacker has to compromise a user's account.
Potential attacks include:
- Remote access
- Cross site scripting
- Local access if the user leaves their device unlocked
The broad group of attacks that are targeted at users while they are logged in are called session-based attacks. Attackers tend to use insufficient expiration by a web application to reuse a valid session ID and hijack the associated active session. The shorter the session interval, the lesser the time an attacker has to use the valid session ID.
We therefore have followed best practices to set session expiration idle timeout to a short period, in order to balance security and usability of the VALR exchange.
This is a risk trade-off that users should make based on how extensively they use the VALR exchange and how tolerant they are of the potential risks associated with remaining logged in for long periods.