Timeout page

[govuk-design-system]

What

Protect users personal data by cancelling a session if it is inactive for a period of time.

Why

All services that use sessions already use, or should use this pattern.

Anything else

• Draft guidance for session timeouts on Google Docs
• User research findings
• Demo page used in research
  (contact the design system team for credentials) - some context here
• Notes from xgov design system workshop: We need to explain drawbacks of timeouts

Related patterns

#104 Timeout warning

[ignaciaorellana]

Dan Butterworth from DVLA made a comment about requiring more discussion around accessibility vs security on this pattern.

[hannalaakso]

Comment by @terrysimpson99, copied from #207 (duplicate issue):

I'll quote Jennifer's comment on #104:
"We've been discussing the service timeout pattern in our HMRC Working Group. At present, our timeout is set at 15 minutes by default and our discussion have mostly been around the legitimacy of increasing this to, for example, 30 minutes where there's a strong user need. Whether designers are able to do this or not is currently quite hazy, and we have been fielding requests that when this pattern is documented it is made more transparent that times can be increased and guidance is given about the process for doing this. I'm wondering - is this something that should be dealt with on a departmental level, or can this be covered within the GOV.UK Design System?"

Can anyone respond to Jennifer's question?

Secondly, the server-based timeout only measures time since page load. Pressing keys or moving a mouse have no effect on it. A user can spend 12 minutes crafting some text and then nip out for 3 minutes (answer the door, make a drink, call of nature) only to find themselves timed out. Is it feasible to have a timeout that is responsive to user activity?

[hannalaakso]

Comment by @joelanman, copied from #207 (duplicate issue):

I've often thought it would be a good use of javascript to ping the server to continue the session whenever user activity is detected, to avoid the issue you mentioned.

[joelanman]

To add more context, the JavaScript idea would be particularly useful on pages where the user might spend a long time before submitting. For example a page where you might type in a large amount of text. JavaScript could ping the server as you type or interact, to stop the session timing out - it's user activity in the same way that moving from page to page is.

[anevins12]

What about providing the option to turn off the timeout? WCAG 2.2.1 offers a few options as examples and turning off is one that prevents us from making assumptions about the user: https://www.w3.org/TR/WCAG21/#timing-adjustable

I'd also bear in mind that the WCAG recommendation for extending is at least 10 times the current limit

[terrysimpson99]

@joelanman The client only needs to ping the server once prior to the warning.

[martinwake]

This discussion is mainly about when and how a timeout page might appear and be triggered, but unless I'm missing something we still don't seem to have a pattern for the content (which I think is what #207 was trying to do). We should be able to do that without necessarily agreeing the details of the implementation, I think. Is it a separate ticket?