Overview

In some cases, it is appropriate to set time limits on how long users can spend interacting with certain functionality. This is often done for security purposes. For example, if you are logged into your online banking, and you don't interact with the application for 10 minutes, it automatically logs you out. 

Some users require additional time to read and interact with web content. If your service does not warn users that they will be logged out, nor provide them with a way to extend the time limit, the service might be inaccessible to certain people with disabilities. 

Guidelines

The Web Content Accessibility Guidelines offers several ways timeouts can be made more accessible:

1. Provide a way for users to manually turn off the time limit
2. Provide a way for users to manually extend the time limit to at least 10x the default length
3. Use a default time limit of at least 20 hours
4. Inform the user their session is about to expire, and give them at least 20 seconds to perform a simple action to extend their session.

Options 1 - 3 are likely to compromise the security or logistical needs of the time-based session; option 4 is the most commonly implemented and recommended approach. A simple technique would be to have a user confirm their activity in a JavaScript confirm popup.

How to Test

• If a page has a timer, remain inactive on the page until the session is about to expire.
• Verify an alert appears about the session expiring.
• Verify the alert gives the user at least 20 seconds to respond. More time is allowable, and preferable.
• Verify the alert receives keyboard focus.
• Verify that selecting the "give more time" option prevents the user from logging out.