login security issue with hosted

  • 1
  • Problem
  • Updated 3 years ago
  • Not a Problem
Hosted has let me down again today, if it isn't bad enough that after 5 min being logged in the first screen times out with 'session expired' which means you can't actually 'log out' unless you login again.

Well today a client who has full access, was using hosted, when another person with restricted access signed in.  Of course it kicked out the first person with full access, however..... the second person (with restricted) access got taken straight into the program, no user ID, no password and the program opened to the screen the first person was using and the first persons FULL ACCESS.

Not good at all.... you call this security, the second person could have done anything they liked, viewed anything, checked out pays.... the mind boggles.
  • 1
Photo of Rav

Rav, Community Manager

  • 91,250 Points 50k badge 2x thumb
Hi Kwikbooks,

From what I understand, and correct me if I'm wrong or have misunderstood but it sounds as though the user with restricted access (Person B) is logging in with the same login as the user with full access (Person A). Is that correct?

If so, this is the reason why Person B is able to access/view at the same level as Person A.

Is there any reason Person B does not have their own licence as a second user?

If I've misunderstood let me know and we'll investigate further.

Cheers
Rav
Hi Rav
The client only usually needs one access, overlap may happen one a week, and client doesn't want to pay for another subscription for once a week or fortnight.

Yes, they are using they one user lic., but both have separate personal user ID and password.

So I totally understand that when person B logs in with the lic. details, it kicks user A out.

What I am concerned about is that when person B signs in, it opens directly to person A's page they had open, and are  not asked for their own  user ID and password, which in this case restricts their access.
Photo of Luke

Luke, Employee

  • 4,114 Points 4k badge 2x thumb
Hi Kwikbooks,

The reason why when user B logs in and it straight away opens to the data file with user A's user profile is because user A has not logged out of the file correctly.

Please instruct to user A when they are finished using Hosted that they are going to File > Close Company/Log Off. When they do this and then user B logs on, it will prompt them to enter their own username and password to access the data file.

I hope this helps.

Luke.
user A cannot log out properly anyway, because the fist tab has 'session ended' even though Reckon is still open and  being used on the 2nd tab.

so when person B logs in, it still should not take the straight in it should ask for their user Id & password.
Photo of Rav

Rav, Community Manager

  • 91,250 Points 50k badge 2x thumb
The reason that it doesn't ask for the User Name & Password to the COMPANY FILE is because Person B is logging in with the SAME Hosted credentials as Person A and taking over the active session.

As such, it will not differentiate that it is an altogether different person accessing the system whilst a session is still active.

The Hosted launch page (a web page) will time out after approximately 15-20mins however of more importance is the for the user currently WITHIN the company file (Hosted session) to ensure they close the company file, that is, File > Exit before letting the second user log in.
Photo of Rav

Rav, Community Manager

  • 91,250 Points 50k badge 2x thumb
Just to add to Luke's post, When Person B logs into the active session with the same credentials (Hosted), the system acknowledges it as the same person and gives them control of the existing Hosted session, including access to whatever software is operating in that session at the time ie. the same company file and access. 

Best practice is always to have a separate licence for any additional users.

Rav

This conversation is no longer open for comments or replies.