Time-out notifications allow at least 20 seconds for the user to modify or extend the interaction time period using a simple keypress.
Many websites will present users with a limited time to complete a task or set of tasks. This typically takes the form of a site with a login/authentication that logs the user off the site after a certain amount of time, but can also be tasks like completing a form that must be completed within a set timeframe.
Users of assistive technology often take more time to accomplish tasks that could be completed faster by other users. Therefore, it is important that users are provided with sufficient time to complete any tasks.
There are exemptions to this rule for when the timing is essential to the activity (like an auction) or activities over 20 hours. However, security concerns are not considered an exemption. To balance security and accessibility, the session can still time out, but the user must have a way of simply extending the session.
Testing session timeout for true WCAG compliance is usually not practical because true compliance requires testing over a 20 hour period. So instead, a simplified testing of session timeout is recommended. Log into the site (or start the session, such as the form that needs completing) and wait for the timeout. If an auto timeout happens longer than about 60 minutes, it's probably fine. Otherwise, if the session does expire during that time and the user is allowed to extend the session with just a simple keypress, the site can be considered passing for this checklist.
Scoring Guide
- Pass: This is a session-based site, and either a timeout happened, but the user is able to extend the session, or the timeout didn't happen in under 60 minutes.
- Fail: Session timeout happens without warning, or cannot be extended, and the session was under 60 minutes in length.
- Not Applicable: This is a website that does not have a login or session.
- Unknown: This is an authenticated site, but the session timeout was never triggered during testing.
- Partial Fail: This should not be used.
