The Active Sessions page in FreeAgent seems to have been built with browsers in mind, not API access.
It is next to impossible for a FreeAgent user to identify sessions created by an API app. A user might well think their account has been hacked instead, with frequent access from “Unknown Browsers”.
Each active session says, “Expires in 14 days / ‘Remember me’ was checked”. This is misleading for API access because there is no ‘remember me’ to check and the access does not expire in 14 days; at most it expires in 1 hour (the access token’s TTL). I would prefer to see “Expires in 1 hour” and no mention of ‘remember me’.
Furthermore the page used to list the user agent so API applications could be indirectly identified. Now the page simply says “Unknown browser” for API apps. I would prefer to see the name of the API app, which FreeAgent can presumably look up via the access token (which was issued to an approved client id).
Finally, there is no mention of the number of active sessions. One can start logging out of the “sessions” created by using the API, but there could be hundreds and there is no indication of this. I assume that if API access is treated as having an expiry of 1 hour, then the number of active “sessions” will decrease significantly. Still, it would be nice to see a count of the number of active sessions.
Thanks for reach out
You certainly do raise some interesting and useful suggestions, and ones that I will feed back to the relevant Product Managers internally. Can I ask if there’s been certain situations where providing the additional information would have been useful or is it purely anecdotal?
The new Audit Trail feature does call out any action taken by an integration as such (and lists the integration name), so that can always be used to answer any unknown questions retroactively, but I know that this only goes so far, and it doesn’t show any session information.
Look forward to hearing from you,
Core Services: API Product Manager
Thanks for the reply!
This came up because one of my DoubleAgent customers looked at their active sessions and saw hundreds of sessions from browsers which weren’t theirs. They contacted me to ask if these sessions were DoubleAgent’s because there was no way to tell from the active sessions page. It defeats the purpose of the page if you can’t tell which are legitimate “sessions”.
I’m the aforementioned customer!
I was looking at Active Sessions as a regular audit we do on everything that holds customer PII.
I saw this…
… and had no idea what could be accessing our account, I was quite alarmed. After a bit of digging I noticed that the timestamps of the DoubleAgent sessions were :03 and :33 which I happened to know is when DoubleAgent syncs its data. But I had to ask Andrew to confirm whether they were indeed DoubleAgent.
Most importantly, though, the screen misled me into thinking there were only 5 active sessions. Only when I hit “Log out” on a few did I see even more appearing in the UI.
That’s dangerous because if there had been an illegitimate login further back in time, I wouldn’t see it.
Ultimately I hit “log out of all other sessions” which I was reluctant to do in case it logged out FreeAgent on my phone (it didn’t).
Hello Andrew and Paul,
Thanks ever so much for the added context, that’s super useful to have.
As promised, I’ll pass this on to the relevant team internally.
Thanks again for reaching out, it’s always great to hear about potential improvements from developers
Core Services:API Product Manager