Session timeout

[jonhurrell]

What work do we need to do?

Let users add time on to a session.

Why are we doing it?

Accessibility. WCAG 2.2.1 states a user must be able to add additional time onto a session if needed. A lot of our citizen services use sessions (for security).

Related stories

• Research: Meeting with Craig to understand scope and requirements.
• Research: Meeting with Craig to review time out proof of concept
• Feature: Session time out POC #52
• Create draft content for session time out pattern page Create session time out pattern draft content #94
• Add example of timeout banner for user's with javascript turned off Add example of timeout banner for user's with javascript turned off #122
• Review content and suggested solution with Craig Abbot and security team
• Update session timeout content Update session timeout guidance page with feedback from accessibility team #124
• Remove cookie banner from timeout example @Remove cookie banner from session time out example #123
• Update timeout content examples following feedback from accessibility
• Manage session timeout amends Manage session timeout amends #134
• Arrange accessibility audit of modal with Craig
• Add ticket in backlog for future requirement to iterate pattern based on HMRC example
• Update content in the non-JS example Change copy in non-JS version of timeout pattern #151

[HelenOsg]

meeting planned with Craig w/c 19/10

[HelenOsg]

Conversation with Craig re:time out pattern

Currently we have services that time out after 20-30 minutes without a warning. This deletes any information the user has input.

WCAG 2.2.1 requirements state a user must be able to do one of the below:

• Turn off time out
• Adjust the time out time to cover a longer period - up to 10x the original set time out
• Extend the session with a simple action and be able to extend it at least 10x. On extending the session the page must not be refreshed and any data entered sustained.
• Have a session time of 20 hours

Register to vote have gone for the extend a the session option. They have a warning pop up (javascript) at 15 minutes with a further 5 minute countdown for the user to extend the session.

Security are resistant to long session times so 20 hours will probably get push back.

Tech restraints - if using javascript for the pop up what happens when a user has javascript turned off? Currently they would be timed out without a warning which then makes the service non-compliant. Need a solution for this instance. Potentially an option for users to preset time at the beginning or default to 20 hrs.

Stakeholders that need involvement are Craig (accessibility), security teams and design a UR community.

2.2.6 includes a recommendation to add a warning about the session time to the beginning of a service. This is a recommendation and is a AAA standard (not currently required).

This is required on any service that has a timeout of less than 20 hours, including Agent facing.

Next steps

• Find out what other services are doing for time out patterns
• Speak to UR community to see if any research has been done on pattern or user needs
• If no UR has been conducted or can be found speak to UR community to see what could be planned in.
• Create potential solutions to run through with Craig
• Take proposal to security teams for feedback

[simoneduca]

Session timeout proof of concept #79

[HelenOsg]

Time out covered on below design systems
https://design.tax.service.gov.uk/hmrc-design-patterns/service-timeout/
https://design.tax.service.gov.uk/hmrc-design-patterns/service-timeout/

alphagov/govuk-design-system-backlog#104

https://budgeting-loan-application-new.herokuapp.com/BLAS/master/timeout-warning New style JSA extend service modal (u - BL p - LB)

[HelenOsg]

Time out screen from NSJSA

[HelenOsg]

session-timeout.pdf
Example from pension credit. The live service has 30 mins on the timeout.
The timeout is trigged when the user has failed to click continue for set time, it doesn't track cursor or keyboard use.

[jonhurrell]

@HelenOsg to look at identifying someone in security to check over documentation.

[HelenOsg]

alphagov/govuk-design-system-backlog#30

[HelenOsg]

Email response from Pete Kelly re:session timeout length.

Hi Helen

Session time out was a fraught subject and we did some work to establish a standard that we have implemented in all our and WA external facing applications which is a balance between, usability, accessibility and security outlined below .

Timeout:
· Without activity is 20 mins without activity
· Timeout can be extended to a maximum of 12 hours with some activity (with a warning at least 20 seconds before the session ends) e.g. a key press every 19 mins

There has been some discussion around this but the DWP “policy” was a balance between usability and security and this was the pattern that we adopted. It addresses the NCSC and WCAG guidance’s and provides a known level of security protection for our services and the client accounts

National Cyber Security Centre (NCSC) recommend a 15 minute timeout but are flexible based on use case and threat level:
https://www.ncsc.gov.uk/guidance/application-development-guidance-introduction#session-handling

This NCSC guidance is in conflict with WCAG 2.1 "Guideline 2.2 Enough Time" which requires action for us on sessions discarded below 20 hours:

See Success Criterion 2.2.1 Timing Adjustable
https://www.w3.org/WAI/WCAG21/Understanding/timing-adjustable.html

If a session is discarded after less than 20 hours, we must provide the facility to either:

Turn off the timeout - (well we can’t do this one and satisfy our policy)
Adjust the timeout via a setting (make it longer) – (This one again is not really acceptable)
Offer to extend the timeout with at least 20 seconds notice – (we could add in a warning and do it this way with a maximum time to 12 hours)

HTD

Pete

[jonhurrell]

Let's chase Health Assessment Service (query content changes) for any insights. Let's capture these in a discussion.