Closed amazingphilippe closed 2 weeks ago
Including in Ally stmt with indication that we're exempt
Yedida and Phil are looking into why we can't extend sessions to 20 hours.
Part of updates to accessibility statement and may pull this back into backlog
Jimmy explained in slack thread: This was actually a security recommendation from the ATO. Letting user session opened for too long increase the risk for having this session being taken over. Someone on site for example could use the computer machine of a logged in user if they leave it unlock and unattended. We picked 8h as the time work time period of employees, which is longer than many systems and should be convenient for users to only log in once per day.
Check whether still needs to go in statement @YedidaZalik
Keep the card open to consider for future No longer a blocker to Ally statement Unassign and move to backlog
@andrewleith can we just let users know that we will timeout of a certain amount of time? aka what you suggested above?
related to @andrewleith's work on session timeout/log out
@andrewleith is this now resolved with the completed card for session timeout?
Description of issue
The session times out if there’s been no activity on the page for 8 hours. In order to meet this success criterion, users need to be warned when the session is going to expire and be given explicit instructions on how to extend it.
Alternatively, the session length could be extended to 20 hours in which case no warning would be needed.
Finally, it could be argued that this success criteria can be exempted for security reasons (the “Essential Exception”).
For more information on criterion requirements and how to meet them, see the Understanding Timing Adjustable page.
Potential fix
Resources