martinwake
commented
3 years ago There might be a difference between a session timeout (normally several hours) and a page timeout (when no action has been taken on a page). A session timeout can happen whether or not someone is "signed in" - ie before they have done any authentication - so "You will be signed out" might not make sense here.
jonhurrell
What
For security reasons some services time the user out after a set amount of time (time set by service team with guidance from security)
Example: Budgeting loans - time out pop up modal
Example: NS JSA timeout page
Example: Pension credit flow
session-timeout (2).pdf
Why
To inform user's they are going to be timed out. A timeout warning helps services meet WCAG 2.0 success criterion 2.2.1 - that services warn users before a timeout occurs and allow them to extend it.
WCAG 2.2.1 requirements state a user must be able to do one of the below:
Anything else
Tech restraints - if using javascript for the pop up what happens when a user has javascript turned off? Currently they would be timed out without a warning which then makes the service non-compliant. Need a solution for this instance. Potentially an option for users to preset time at the beginning or default to 20 hrs.
2.2.6 includes a recommendation to add a warning about the session time to the beginning of a service. This is a recommendation and is a AAA standard (not currently required).
This is required on any service that has a timeout of less than 20 hours, including Agent facing.
Time out covered on below design systems https://design.tax.service.gov.uk/hmrc-design-patterns/service-timeout/ https://design.homeoffice.gov.uk/patterns/stop-a-service-timing-out
alphagov/govuk-design-system-backlog#104