Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session time out #64

Closed
HelenOsg opened this issue Apr 28, 2021 · 2 comments
Closed

Session time out #64

HelenOsg opened this issue Apr 28, 2021 · 2 comments
Labels
pattern Best practice design solutions for specific user-focused tasks and page types.

Comments

@HelenOsg
Copy link
Collaborator

HelenOsg commented Apr 28, 2021
edited
Loading

What

For security reasons some services time the user out after a set amount of time (time set by service team with guidance from security)

Example: Budgeting loans - time out pop up modal

Screen Shot 2021-04-28 at 09 39 38

Example: NS JSA timeout page

Screen Shot 2021-04-28 at 09 40 58

Example: Pension credit flow

session-timeout (2).pdf

Why

To inform user's they are going to be timed out. A timeout warning helps services meet WCAG 2.0 success criterion 2.2.1 - that services warn users before a timeout occurs and allow them to extend it.

WCAG 2.2.1 requirements state a user must be able to do one of the below:

  • Turn off time out
  • Adjust the time out time to cover a longer period - up to 10x the original set time out
  • Extend the session with a simple action and be able to extend it at least 10x. On extending the session the page must not be refreshed and any data entered sustained.
  • Have a session time of 20 hours

Anything else

Tech restraints - if using javascript for the pop up what happens when a user has javascript turned off? Currently they would be timed out without a warning which then makes the service non-compliant. Need a solution for this instance. Potentially an option for users to preset time at the beginning or default to 20 hrs.

2.2.6 includes a recommendation to add a warning about the session time to the beginning of a service. This is a recommendation and is a AAA standard (not currently required).

This is required on any service that has a timeout of less than 20 hours, including Agent facing.

Time out covered on below design systems
https://design.tax.service.gov.uk/hmrc-design-patterns/service-timeout/
https://design.homeoffice.gov.uk/patterns/stop-a-service-timing-out

alphagov/govuk-design-system-backlog#104
@martinwake
Copy link
Collaborator

martinwake commented Jun 22, 2021
edited
Loading

There might be a difference between a session timeout (normally several hours) and a page timeout (when no action has been taken on a page). A session timeout can happen whether or not someone is "signed in" - ie before they have done any authentication - so "You will be signed out" might not make sense here.

@HelenOsg HelenOsg mentioned this issue Aug 11, 2021
Closed
@michaelcattell michaelcattell added the pattern Best practice design solutions for specific user-focused tasks and page types. label Aug 19, 2021
@jonhurrell
Copy link
Collaborator

This has been published on the design system.
If you have any research insights or have used the pattern, let us know on the GitHub discussion.

@jonhurrell jonhurrell reopened this Nov 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pattern Best practice design solutions for specific user-focused tasks and page types.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jonhurrell @martinwake @michaelcattell @HelenOsg