Skip to main content

Session & Security

This article explains how Omnivoo manages your login sessions behind the scenes, including automatic refresh, idle timeouts, and the security mechanisms that protect your account.

Automatic Session Refresh

When you log in, Omnivoo issues a pair of secure tokens:

  • Access token -- Used for every request to Omnivoo's servers. It lasts about 15 minutes.
  • Refresh token -- Used to obtain a new access token when the current one expires. It is longer-lived.

Omnivoo refreshes your access token proactively before it expires -- roughly every 13 minutes, comfortably ahead of the 15-minute expiry. This happens automatically in the background, so you will never see a login prompt while actively using the app.

If a background refresh does not go through the first time -- for example, a brief network drop -- Omnivoo does not sign you out. It automatically tries again about a minute later. Only a session that is genuinely expired or revoked sends you back to the login page.

info

Token refresh is completely transparent. You do not need to take any action. Omnivoo's server issues and sets all of your authentication cookies and is the single source of truth for whether you are signed in -- the app running in your browser never sets these cookies itself, and it reads your signed-in state from your profile.

Idle Timeout

For security, Omnivoo automatically logs you out after 30 minutes of inactivity.

What counts as activity

Omnivoo monitors the following user interactions to detect activity:

  • Mouse clicks anywhere in the app
  • Keyboard input (typing in fields, using shortcuts)
  • Scrolling through pages or lists
  • Mouse movement across the screen
  • Touch events on mobile or tablet devices

As long as any of these interactions occur within the 30-minute window, your session stays active.

What happens when you time out

  1. After 30 minutes with no detected activity, your session tokens are cleared.
  2. On your next interaction, you are redirected to the login page.
  3. After logging in, you are returned to the page you were on before the timeout.
tip

If you are reading a long document or reviewing a detailed report, scrolling or moving your mouse occasionally will keep your session alive. You do not need to click anything specific.

Tab Visibility Handling

Omnivoo is aware of whether its browser tab is in the foreground or background, and it treats the idle timer differently in each case:

  • Tab in foreground -- The idle timer runs normally, and your interactions reset it.
  • Tab moved to background -- The idle timer is paused. Time you spend on other tabs or apps does not count toward the 30-minute idle logout, so a tab left in the background does not, by itself, sign you out.
  • Tab returns to foreground -- Omnivoo re-checks your session and the idle countdown resumes from the start. If your session is still valid, you continue where you left off. If it was already ended (for example, revoked or expired), you are prompted to log in.

Only genuine inactivity while the Omnivoo tab is visible -- 30 minutes of it -- triggers the idle logout, so you can switch to other tabs and come back without being logged out just for being away.

Logging Out

Manual Logout

To log out of your current session:

  1. Click your avatar at the top of the left sidebar and select Logout, or
  2. Open My Profile > Account Actions and click Sign Out.

Your session is ended and all session data is cleared from your browser.

Logout of All Devices

If you need to end all active sessions (for example, if you suspect unauthorized access):

  1. Open My Profile (avatar menu > Profile).
  2. Expand the Security section.
  3. Click Logout of All Devices and confirm in the dialog.
  4. Every session, including your current one, is ended. You will need to log in again on each device.
warning

This logs you out everywhere immediately. Use it if you suspect someone else has access to your account, or if you have logged in on a device you no longer control.

info

Omnivoo does not show a per-device list of individual sessions. The all-or-nothing Logout of All Devices action is the way to revoke access remotely.

Omnivoo stores authentication tokens in HTTP-only, Secure cookies. This design choice provides several security benefits:

What this means for you

  • No tokens in JavaScript -- Your authentication tokens cannot be read or stolen by malicious scripts (protects against XSS attacks).
  • Automatic inclusion -- Cookies are sent with every request to Omnivoo automatically by your browser. You do not need to manage tokens manually.
  • Secure flag -- Cookies are only sent over HTTPS connections, preventing interception on insecure networks.
  • SameSite protection -- Cookies are scoped to Omnivoo's domain, reducing exposure to cross-site attacks.

What this means for developers and integrations

If you are building integrations with Omnivoo, note that authentication is cookie-based, not header-based. API requests must include cookies (credentials: "include" in fetch calls).

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks your browser into making requests to Omnivoo on your behalf. Omnivoo protects against this by:

  • Validating the origin of incoming requests.
  • Using SameSite cookie attributes to prevent cookies from being sent in cross-origin requests.
  • Requiring specific headers on state-changing requests.

You do not need to do anything to benefit from CSRF protection -- it is built into the platform automatically.

Security Summary

FeatureHow It Protects You
Automatic token refreshKeeps you logged in without storing long-lived credentials
30-minute idle timeoutPrevents unauthorized access on unattended devices
HTTP-only cookiesBlocks JavaScript from accessing your tokens (XSS protection)
Secure cookiesEnsures tokens are only sent over HTTPS
SameSite cookiesPrevents cross-site request attacks
CSRF validationBlocks forged requests from malicious sites
Logout of All DevicesLets you end every active session remotely from My Profile

Frequently Asked Questions

Why was I logged out unexpectedly? Most likely, the Omnivoo tab was open in the foreground with no activity for 30 minutes or more, and the idle timeout signed you out for security. Simply log in again to continue. Leaving the Omnivoo tab in the background does not, on its own, log you out -- the idle timer only counts down while the tab is visible.

Can I change the idle timeout duration? The 30-minute timeout is a platform-wide security setting and cannot be changed per user. This duration balances security with convenience.

Do I stay logged in if I close my browser? It depends on your browser's cookie settings. If your browser is configured to clear cookies on close, you will need to log in again. Otherwise, your session persists until it expires or is revoked.

Is my session shared across browser tabs? Yes. All tabs in the same browser share the same session. Logging out in one tab logs you out in all tabs.