Skip to main content

Session Timeout

Specific timing or session limits are often found on websites and apps. When a time limit or session expires without warning, a user's progress may be lost, requiring them to start over. Time limits occur not only when users explicitly login, but also during processes such as filling out forms or making purchases. Because assistive technology users may need more time to complete a process, sessions must be managed accessibly to ensure user success.

Before a session timeout occurs, users must be able to extend the session to continue working. Extending the session should be a simple action, such as pressing a button, and users must be allowed to extend it at least 10 times.

Exceptions to the rule include:

  • Real-time events: Such as auctions where extension is not possible
  • When timing is essential: Such as timeouts for two-factor authentication essential for security (other accessible authentication guidelines apply)
  • 20 Hours: When the time limit or session is longer than 20 hours.

Testing for Timeout

The 20 hour exception makes it difficult to fully test session timeout to WCAG standards. Technically, if a session expires after 19 hours with no option to extend, it would constitute a failure. Testers cannot reasonably wait almost a day to ensure timeout is handled correctly after many hours.

Developers should implement accessible session timeouts and inform testers of the timing and how the timeout is handled. If a tester cannot determine how timeouts are handled from the code or developer, use a simplified testing protocol.

  1. Start the session: Log in or start a form, etc.
    1. Leave the window open and idle on a second computer or monitor; avoid interacting with it
  2. Wait an hour: Go to lunch or a meeting. After an hour, if the session appears active, interact with the page to confirm
    1. If the session is still active with no indication of timeout, the site can reasonably be assumed to pass
    2. If the session timed out and this only becomes apparent when trying to use the page, the site fails
    3. If the session clearly timed out and the original form or activity has closed, proceed to step 3
  3. Start the session again: Set a stopwatch if needed to track the hour
    1. Session less than an hour are likely less than 30 minutes; 15 minutes is common
  4. Wait for the timeout to happen: When it happens, note the process:
    1. If there is a chance to extend the session with a simple action (such as pressing a button), the site likely passes. To confirm, wait until it happens again and ensure the session can be extended multiple times
    2. If not, the site fails
Last modified