There are numerous times in web browsing when a timer (often invisible) starts running and a user must complete a task within the timeframe or risk losing their progress or being unable to ever complete the task. This is not only when a user explicitly logs in to a website, but other times as well such as when filling out a form or making a purchase. As users of assistive technology often take longer to complete than non-assistive technology users, these sessions often need to be extendable so that users can be successful.
Before a session timeout happens, the user needs to be able to extend the session so they can continue working. This needs to be simple (like a simple press of the enter key) and the user needs to be able to do this at least 10 times.
A few exemptions do exist to this rule though. The big ones are:
- Real-time events: if this is an auction or something that the real-time nature is essential to the activity, the timeout rules are exempted.
- When timing is essential: Activities such as taking a timed quiz for example would be exempt (note though that for quizzes, you might be required to provide an accommodation that says the student has more time).
- Sessions that are longer than 20 hours.
That last exemption makes it difficult to test session timeout fully to WCAG standards though, as technically if it logs out after 19 hours it would fail the standard. If you are not the developer of the website, you would have to sit and wait for almost a day to ensure that the session timeout didn't happen at the wrong time.
So instead, if you can't determine from the code or the developer what the timeout parameters are, use a simplified version of testing the session timeout.
- Start the session: Log in or start a form, etc.
- Leave the window open on a second computer or monitor and otherwise, don't interact with it.
- Wait an hour: Go to lunch or a meeting. If you appear to be still logged in, interact with the page a bit to confirm you are actually logged in.
- When you come back, if you are still logged in, you can probably assume that it is OK and give the site a pass.
- If you are logged out, and you are unaware of this, it is a fail.
- If you are obviously logged out, proceed to step 3.
- Start the session again: Set a stopwatch if you want so you know when your hour is up.
- Any session less than an hour is honestly probably going to be less than 30 minutes. 15 minutes seems to be pretty common.
- Wait for the timeout to happen. When it happens, note what the process was:
- If you are given a chance to extend the session and can do so with pressing enter, it's probably safe to give it a pass. To be sure, wait until it happens again and make sure you can do it multiple times.
- If not, then this is a fail.