Session & Security
This article explains how Omnivoo manages your login sessions behind the scenes, including automatic refresh, idle timeouts, and the security mechanisms that protect your account.
Automatic Session Refresh
When you log in, Omnivoo issues a pair of secure tokens:
- Access token -- Used for every request to Omnivoo's servers. Short-lived.
- Refresh token -- Used to obtain a new access token when the current one expires. Longer-lived.
Omnivoo refreshes your access token proactively before it expires. This happens automatically in the background -- you will never see a login prompt while actively using the app.
Token refresh is completely transparent. You do not need to take any action. If you are curious about the technical details: Omnivoo detects when your access token is nearing expiry and silently requests a new one using the refresh token.
Idle Timeout
For security, Omnivoo automatically logs you out after 30 minutes of inactivity.
What counts as activity
Omnivoo monitors the following user interactions to detect activity:
- Mouse clicks anywhere in the app
- Keyboard input (typing in fields, using shortcuts)
- Scrolling through pages or lists
- Mouse movement across the screen
- Touch events on mobile or tablet devices
As long as any of these interactions occur within the 30-minute window, your session stays active.
What happens when you time out
- After 30 minutes with no detected activity, your session tokens are cleared.
- On your next interaction, you are redirected to the login page.
- After logging in, you are returned to the page you were on before the timeout.
If you are reading a long document or reviewing a detailed report, scrolling or moving your mouse occasionally will keep your session alive. You do not need to click anything specific.
Tab Visibility Handling
Omnivoo is aware of whether its browser tab is in the foreground or background:
- Tab in foreground -- Normal activity detection and session management.
- Tab moved to background -- The idle timer continues running. If you return after more than 30 minutes of inactivity, your session may have expired.
- Tab returns to foreground -- Omnivoo immediately checks your session status. If still valid, you continue where you left off. If expired, you are prompted to log in.
This means you can switch to other tabs and come back without issues, as long as you return within the idle timeout window.
Logging Out
Manual Logout
To log out of your current session:
- Click your name or avatar in the top-right corner.
- Select Log Out.
- Your session is ended and all session data is cleared from your browser.
Logout from All Devices
If you need to end all active sessions (for example, if you suspect unauthorized access):
- Go to Profile Settings > Security > Active Sessions.
- Click Revoke All Sessions.
- Every session, including your current one, is terminated.
- You will need to log in again on each device.
Revoking all sessions logs you out everywhere immediately. Use this if you suspect someone else has access to your account, or if you have logged in on a device you no longer control.
Cookie-Based Authentication
Omnivoo stores authentication tokens in HTTP-only, Secure cookies. This design choice provides several security benefits:
What this means for you
- No tokens in JavaScript -- Your authentication tokens cannot be read or stolen by malicious scripts (protects against XSS attacks).
- Automatic inclusion -- Cookies are sent with every request to Omnivoo automatically by your browser. You do not need to manage tokens manually.
- Secure flag -- Cookies are only sent over HTTPS connections, preventing interception on insecure networks.
- SameSite protection -- Cookies are scoped to Omnivoo's domain, reducing exposure to cross-site attacks.
What this means for developers and integrations
If you are building integrations with Omnivoo, note that authentication is cookie-based, not header-based. API requests must include cookies (credentials: "include" in fetch calls).
CSRF Protection
Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks your browser into making requests to Omnivoo on your behalf. Omnivoo protects against this by:
- Validating the origin of incoming requests.
- Using SameSite cookie attributes to prevent cookies from being sent in cross-origin requests.
- Requiring specific headers on state-changing requests.
You do not need to do anything to benefit from CSRF protection -- it is built into the platform automatically.
Security Summary
| Feature | How It Protects You |
|---|---|
| Automatic token refresh | Keeps you logged in without storing long-lived credentials |
| 30-minute idle timeout | Prevents unauthorized access on unattended devices |
| HTTP-only cookies | Blocks JavaScript from accessing your tokens (XSS protection) |
| Secure cookies | Ensures tokens are only sent over HTTPS |
| SameSite cookies | Prevents cross-site request attacks |
| CSRF validation | Blocks forged requests from malicious sites |
| Session revocation | Lets you log out from any or all devices remotely |
Frequently Asked Questions
Why was I logged out unexpectedly? Most likely, you were inactive for 30 minutes or more. Omnivoo's idle timeout logged you out for security. Simply log in again to continue.
Can I change the idle timeout duration? The 30-minute timeout is a platform-wide security setting and cannot be changed per user. This duration balances security with convenience.
Do I stay logged in if I close my browser? It depends on your browser's cookie settings. If your browser is configured to clear cookies on close, you will need to log in again. Otherwise, your session persists until it expires or is revoked.
Is my session shared across browser tabs? Yes. All tabs in the same browser share the same session. Logging out in one tab logs you out in all tabs.