Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Timeout page #103

Open
govuk-design-system opened this issue Jan 15, 2018 · 6 comments
Open

Timeout page #103

govuk-design-system opened this issue Jan 15, 2018 · 6 comments

Comments

@govuk-design-system
Copy link
Collaborator

@govuk-design-system govuk-design-system commented Jan 15, 2018

What

Protect users personal data by cancelling a session if it is inactive for a period of time.

Why

All services that use sessions already use, or should use this pattern.

Anything else

Related patterns

#104 Timeout warning

@ignaciaorellana
Copy link
Contributor

@ignaciaorellana ignaciaorellana commented Feb 21, 2018

Dan Butterworth from DVLA made a comment about requiring more discussion around accessibility vs security on this pattern.

@hannalaakso
Copy link
Member

@hannalaakso hannalaakso commented Jun 18, 2020

Comment by @terrysimpson99, copied from #207 (duplicate issue):

I'll quote Jennifer's comment on #104:
"We've been discussing the service timeout pattern in our HMRC Working Group. At present, our timeout is set at 15 minutes by default and our discussion have mostly been around the legitimacy of increasing this to, for example, 30 minutes where there's a strong user need. Whether designers are able to do this or not is currently quite hazy, and we have been fielding requests that when this pattern is documented it is made more transparent that times can be increased and guidance is given about the process for doing this. I'm wondering - is this something that should be dealt with on a departmental level, or can this be covered within the GOV.UK Design System?"

Can anyone respond to Jennifer's question?

Secondly, the server-based timeout only measures time since page load. Pressing keys or moving a mouse have no effect on it. A user can spend 12 minutes crafting some text and then nip out for 3 minutes (answer the door, make a drink, call of nature) only to find themselves timed out. Is it feasible to have a timeout that is responsive to user activity?

@hannalaakso
Copy link
Member

@hannalaakso hannalaakso commented Jun 18, 2020

Comment by @joelanman, copied from #207 (duplicate issue):

I've often thought it would be a good use of javascript to ping the server to continue the session whenever user activity is detected, to avoid the issue you mentioned.

@joelanman
Copy link
Member

@joelanman joelanman commented Jun 18, 2020

To add more context, the JavaScript idea would be particularly useful on pages where the user might spend a long time before submitting. For example a page where you might type in a large amount of text. JavaScript could ping the server as you type or interact, to stop the session timing out - it's user activity in the same way that moving from page to page is.

@anevins12
Copy link

@anevins12 anevins12 commented Jun 18, 2020

What about providing the option to turn off the timeout? WCAG 2.2.1 offers a few options as examples and turning off is one that prevents us from making assumptions about the user: https://www.w3.org/TR/WCAG21/#timing-adjustable

I'd also bear in mind that the WCAG recommendation for extending is at least 10 times the current limit

@terrysimpson99
Copy link

@terrysimpson99 terrysimpson99 commented Jun 19, 2020

@joelanman The client only needs to ping the server once prior to the warning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants