Customer Security FAQ
Q: What is the application time-out period?
A: The cookie containing the login token expires after 24 hours. The API also only keeps the session token for 24 hours.
Q: How are cookies protected?
A: Cookies are set specifically to
.observepoint.com so other sites cannot read them. Cross-site scripting (XSS) is avoided because we don’t have any pages that render user input on another user’s account. Users can name their audits and journeys, and this input is stripped of any scripts that are designated as unsafe while keeping safe and desired scripts in the document.
Q: How does the application ensure that the session ID is changed at login and re-authentication?
A: The application detects the user is unauthenticated by either recognizing the authentication cookie is not set or by detecting the authentication token is expired and therefore invalid. When detection of one of the two events occurs, the logout flow is executed to clear the authentication cookie. When the user logs back in, the application makes a new request for another authentication token and the browser handles the cookie. The authentication service knows to return a value different than the one before because it adds the date and time of the token creation so that it always generates a different token.
Q: How does the application ensure that the session data is erased or overwritten once the session is terminated?
A: Some non-critical data such as dropdown selections, filter options, etc. is saved in the browser’s session storage. The browser clears this data when the session ends. Authentication information in the cookie is also cleared by the browser because the cookie is set with an expiration date. The authentication token cookie is also manually cleared upon logout or when detecting that it has expired.
Q: Where are the session identifiers maintained?
A: Session identifiers are maintained server side. When authenticating, the browser receives a token, allowing it to authenticate with the application's API.
Q: Are the session IDs displayed in URLs, error messages and logs?