Timing Adjustable - Githubissues

cds-snc / notification-planning

Project planning for GC Notify Team

4 stars 0 forks source link

Timing Adjustable #1461

Closed amazingphilippe closed 2 weeks ago

amazingphilippe commented 6 months ago

Description of issue

The session times out if there’s been no activity on the page for 8 hours. In order to meet this success criterion, users need to be warned when the session is going to expire and be given explicit instructions on how to extend it.

Alternatively, the session length could be extended to 20 hours in which case no warning would be needed.

Finally, it could be argued that this success criteria can be exempted for security reasons (the “Essential Exception”).

For more information on criterion requirements and how to meet them, see the Understanding Timing Adjustable page.

Potential fix

Extend the session
Show a warning after 8 hours.
Work on an exemption and put it on the accessibility page.

Resources

Understanding Timing Adjustable page

YedidaZalik commented 3 months ago

Including in Ally stmt with indication that we're exempt

amazingphilippe commented 3 months ago

Yedida and Phil are looking into why we can't extend sessions to 20 hours.

mtoutloff commented 3 months ago

Part of updates to accessibility statement and may pull this back into backlog

YedidaZalik commented 3 months ago

Jimmy explained in slack thread: This was actually a security recommendation from the ATO. Letting user session opened for too long increase the risk for having this session being taken over. Someone on site for example could use the computer machine of a logged in user if they leave it unlock and unattended. We picked 8h as the time work time period of employees, which is longer than many systems and should be convenient for users to only log in once per day.

andrewleith commented 3 months ago

Still some work left to do on this
One possible idea is a modal to let the user know they will timeout, and then a page to show when theve been timed out

YedidaZalik commented 2 months ago

Check whether still needs to go in statement @YedidaZalik

YedidaZalik commented 2 months ago

Keep the card open to consider for future No longer a blocker to Ally statement Unassign and move to backlog

jzbahrai commented 2 months ago

@andrewleith can we just let users know that we will timeout of a certain amount of time? aka what you suggested above?

yaelberger-commits commented 1 month ago

related to @andrewleith's work on session timeout/log out

yaelberger-commits commented 1 month ago

@andrewleith is this now resolved with the completed card for session timeout?