-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Timeout page #103
Comments
Dan Butterworth from DVLA made a comment about requiring more discussion around accessibility vs security on this pattern. |
Comment by @terrysimpson99, copied from #207 (duplicate issue): I'll quote Jennifer's comment on #104: Can anyone respond to Jennifer's question? Secondly, the server-based timeout only measures time since page load. Pressing keys or moving a mouse have no effect on it. A user can spend 12 minutes crafting some text and then nip out for 3 minutes (answer the door, make a drink, call of nature) only to find themselves timed out. Is it feasible to have a timeout that is responsive to user activity? |
Comment by @joelanman, copied from #207 (duplicate issue): I've often thought it would be a good use of javascript to ping the server to continue the session whenever user activity is detected, to avoid the issue you mentioned. |
To add more context, the JavaScript idea would be particularly useful on pages where the user might spend a long time before submitting. For example a page where you might type in a large amount of text. JavaScript could ping the server as you type or interact, to stop the session timing out - it's user activity in the same way that moving from page to page is. |
What about providing the option to turn off the timeout? WCAG 2.2.1 offers a few options as examples and turning off is one that prevents us from making assumptions about the user: https://www.w3.org/TR/WCAG21/#timing-adjustable I'd also bear in mind that the WCAG recommendation for extending is at least 10 times the current limit |
@joelanman The client only needs to ping the server once prior to the warning. |
This discussion is mainly about when and how a timeout page might appear and be triggered, but unless I'm missing something we still don't seem to have a pattern for the content (which I think is what #207 was trying to do). We should be able to do that without necessarily agreeing the details of the implementation, I think. Is it a separate ticket? |
What
Protect users personal data by cancelling a session if it is inactive for a period of time.
Why
All services that use sessions already use, or should use this pattern.
Anything else
(contact the design system team for credentials) - some context here
Related patterns
#104 Timeout warning
The text was updated successfully, but these errors were encountered: