Session Locking and Auto-Timeout Security
Learn how PopaDex automatically locks your session after inactivity to protect your financial data - security timeout settings explained.
PopaDex automatically protects your account by locking your session after a period of inactivity. This prevents unauthorized access if you step away from your device without manually logging out.
How Session Locking Works
When you’re signed in to PopaDex, your session remains active as long as you’re actively using the application. However, if there’s no activity for 15 minutes, PopaDex automatically:
- Locks your session - You’ll see a lock screen requiring your password
- Clears sensitive data from memory - Financial information is removed from RAM
- Requires re-authentication - You must enter your password to resume
This happens entirely in your browser without communicating with our servers, ensuring your security even if you’re offline.
What Triggers the Lock
Your session locks after 15 minutes of:
- No mouse movement
- No keyboard input
- No interactions with the PopaDex interface
Note: Simply having the tab open doesn’t count as activity. You must actively interact with the application.
Unlocking Your Session
When your session locks:
- You’ll see a lock screen with your profile picture/initial
- Enter your master password
- Click “Unlock”
If E2EE is enabled, your recovery key will also decrypt your data upon unlocking.
What If You Forget Your Password?
If you can’t remember your password at the lock screen:
- Click “Sign Out” to return to the login page
- From there, you can use the password reset flow
- Warning: With E2EE enabled, password reset requires your recovery key or will result in data loss
Session Locking vs. Logging Out
| Action | What Happens | When to Use |
|---|---|---|
| Session Lock | Requires password to unlock. Data stays encrypted in browser. | Stepping away briefly (coffee break, meeting) |
| Sign Out | Clears all data from device. Requires full login. | End of workday, shared devices, public computers |
Best Practice: Use session lock for short breaks, but always sign out when:
- Using a public or shared computer
- Ending your work session for the day
- Lending your device to someone
Adjusting Timeout Settings
Currently, the 15-minute timeout is fixed for security reasons. We’re considering adding customizable timeouts in a future update.
Manual Locking
You can manually lock your session without waiting for the timeout:
- Click your profile icon (top right)
- Select “Lock Session”
- Or use the keyboard shortcut:
Cmd/Ctrl + L
This is useful when you need to step away immediately.
Mobile App Behavior
On mobile devices (iOS/Android), session locking works differently:
- iOS: Uses Face ID/Touch ID for unlock when available
- Android: Uses fingerprint/face unlock when available
- Fallback: Password entry if biometric isn’t available
- Timeout: Same 15-minute inactivity period
Security Considerations
Why 15 Minutes?
We chose 15 minutes as a balance between security and convenience:
- Too short (5 min) - Frustrating for users during normal work
- Too long (30+ min) - Increased risk if device is unattended
- 15 minutes - Industry standard for financial applications
What’s Protected
When your session locks:
- ✅ All financial data cleared from memory
- ✅ Encryption keys removed from RAM
- ✅ Browser localStorage remains encrypted
- ✅ Network connections terminated
- ❌ Browser doesn’t close (data stays encrypted on disk)
Additional Security Layers
Session locking works alongside:
- E2EE: Data encrypted at rest even when unlocked
- HTTPS: All network traffic encrypted
- CSRF tokens: Prevents unauthorized requests
- Session rotation: Keys regenerated after unlock
Troubleshooting
Session Locks Too Frequently
If your session locks more often than expected:
- Check if browser extensions are causing interference
- Ensure you’re actually interacting with PopaDex (not just having tab open)
- Verify system time is correct (affects timeout calculation)
Can’t Unlock Session
If you enter your password but can’t unlock:
- Check Caps Lock isn’t enabled
- Try refreshing the page (F5)
- Clear browser cache if issue persists
- As last resort, sign out and sign back in
Data Loss on Lock?
No! Session locking never causes data loss:
- All data is encrypted and saved
- Locking only clears it from active memory
- Everything returns when you unlock
FAQ
Q: Does session lock work offline?
A: Yes! It runs entirely in your browser and doesn’t require internet.
Q: What if I’m in the middle of editing something?
A: PopaDex auto-saves as you type. When you unlock, you’ll see your latest changes.
Q: Can I extend the timeout temporarily?
A: Not currently, but this feature is on our roadmap.
Q: Does closing the laptop lid trigger lock?
A: Not directly, but it stops activity detection so the 15-minute timer continues.
Q: Is session lock required for GDPR compliance?
A: While not strictly required, it’s considered a best practice for protecting personal financial data.
Related Topics
- End-to-End Encryption - How your data stays encrypted
- Password Reset - What to do if you forget your password
- Recovery Keys - Backup access method
Need help? Contact [email protected]