Skip to main content

14. Session Timeout

Requirement

Time-out notifications allow at least 20 seconds for the user to modify or extend the interaction time period using a simple keypress.

Evaluation Process

For any time-limited tasks, such as authenticated sessions or forms, users must be provided sufficient time to complete them. This is particularly critical for users of assistive technology who may require more time.

This requirement has exemptions for activities where a time limit is essential (e.g., an auction) or for tasks exceeding 20 hours. Security concerns are not an exemption. Timed-out sessions must offer a simple method for the user to extend their time.

A simplified testing protocol may include the following:

  1. Initiate a timed session and wait for a timeout.
  2. A session lasting over 60 minutes is generally acceptable.
  3. If a timeout occurs in less than 60 minutes, the system must provide a simple mechanism for the user to extend the session to be considered compliant (e.g., user is presented with dialog window to extend the session and that is accomplished with a simple keypress).

Scoring Guide

  • Pass: This is a session-based site. If a timeout occurs, the user is able to extend the session. Alternatively, a timeout does not occur in under 60 minutes.
  • Fail: Session timeout happens without warning or cannot be extended.
  • Not Applicable: This is a website that does not have a login or session.
  • Unknown: This is an authenticated site, but the session timeout was never triggered during testing.
  • Partial Fail: There is no partial fail for the Session Timeout requirement.

More Information

Relevant WCAG Information

Last modified