Re: Timing Adjustable: does it apply to timeout from inactivity (no mouse, keyboard activity)

>>I’d be happier to imagine a world where some users are unavoidably timed
out of sessions (for security reasons or reasons beyond their control) but
where they could *always* guarantee to re-enter the session at the same
point without having lost any entered information and choices made.

Me too... I believe there were some difficulties in getting that through in
WCAg 2. We really tried, but security people shot it down...maybe this time
around we can scope out those situations that are concerning about storing
data that the user filled in... perhaps we could say something like

"...preserving all of the data entered and steps completed by the user, and
allowing them to return to the step at which they were forcibly logged
out... if such data was stored and is retrievable."

Cheers,
David MacDonald



*Can**Adapt* *Solutions Inc.*
Tel:  613.235.4902

LinkedIn
<http://www.linkedin.com/in/davidmacdonald100>

twitter.com/davidmacd

GitHub <https://github.com/DavidMacDonald>

www.Can-Adapt.com <http://www.can-adapt.com/>



*  Adapting the web to all users*
*            Including those with disabilities*

If you are not the intended recipient, please review our privacy policy
<http://www.davidmacd.com/disclaimer.html>

On Thu, Feb 9, 2017 at 11:57 AM, Michael Pluke <
Mike.Pluke@castle-consult.com> wrote:

> You are right that "preserving all of the data entered and steps completed
> by the user, and allowing them to return to the step at which they were
> forcibly logged out" is really the same as what SC 2.2.5 proposes – but
> unfortunately it is only AAA. However, Jason White is right when he
> highlights the importance of this aspect of the proposal and says it “is an
> aspect of the proposal that should be supported in relation to time limits
> for which it makes sense.”
>
>
>
> What might be good is to see if it is possible to break this out and
> “identify the time limits for which it makes sense”, include those in the
> scope, and create a new success criteria that elevates this to at least AA,
> preferably to A.
>
>
>
> I’d be happier to imagine a world where some users are unavoidably timed
> out of sessions (for security reasons or reasons beyond their control) but
> where they could *always* guarantee to re-enter the session at the same
> point without having lost any entered information and choices made.
>
>
>
> Best regards
>
>
>
> Mike
>
>
>
> *From:* Sailesh Panchang [mailto:sailesh.panchang@deque.com]
> *Sent:* 09 February 2017 16:21
> *To:* David MacDonald <david@can-adapt.com>
> *Cc:* EA Draffan <ead@ecs.soton.ac.uk>; WCAG <w3c-wai-gl@w3.org>;
> Jonathan Avila <jon.avila@ssbbartgroup.com>; Alastair Campbell <
> acampbell@nomensa.com>; Glenda Sims <glenda.sims@deque.com>; Gregg C
> Vanderheiden <greggvan@umd.edu>
> *Subject:* Re: Timing Adjustable: does it apply to timeout from
> inactivity (no mouse, keyboard activity)
>
>
>
> If the user fails to convey activity or to respond to the 'Continue
> session?' dialog then it is ok to be timed out.
> If the application is going to permit one to extend session say a
> limited number of times, then it is important for the dialog to convey
> that. i.e. "Continue session? (8 attempts left)'
>
> I usually recommend pretty much what the WCAG says: "Warn the user
> before time expires and give the user at least 20 seconds to extend
> the time limit with a simple action (for example, "press the space
> bar"). Show this warning a few times as considered reasonable (WCAG
> suggests at least ten times)".
> Content authors can then balance security and accessibility requirements.
>
> By the way, I find some applications do a poor job of sensing
> activity and the popup appears even as one is interacting with an
> application: even apps that for which timing is not criticaal, like
> entering data into an online tax app as against an online ticket
> purchase site.
>
> Is what Jason requests, "preserving all of the data entered and steps
> completed by the user, and allowing them to return to the step at
> which they were forcibly logged out" not the same as what SC 2.2.5
> suggests?
> Thanks and regards,
> Sailesh Panchang
>
> On 2/9/17, David MacDonald <david@can-adapt.com> wrote:
> >> If the suggested minimal activity were possible and there was some way
> of
> > alerting the user to the time passing, that would be a better solution
> than
> > not being able to complete the task, as long as the security experts are
> > happy.
> >
> > In the scenario I'm interested in, the session says open while the user
> is
> > active in the program. It would only time out if they didn't interact
> with
> > the page for 15 minutes. So the clock is not counting down while they are
> > interacting with the site, only when they are not interacting with it.
> >
> > Cheers,
> > David MacDonald
> >
> >
> >
> > *Can**Adapt* *Solutions Inc.*
> > Tel: 613.235.4902 <(613)%20235-4902>
> >
> > LinkedIn
> > <http://www.linkedin.com/in/davidmacdonald100>
> >
> > twitter.com/davidmacd
> >
> > GitHub <https://github.com/DavidMacDonald>
> >
> > www.Can-Adapt.com <http://www.can-adapt.com/>
> >
> >
> >
> > * Adapting the web to all users*
> > * Including those with disabilities*
> >
> > If you are not the intended recipient, please review our privacy policy
> > <http://www.davidmacd.com/disclaimer.html>
> >
> > On Thu, Feb 9, 2017 at 10:18 AM, EA Draffan <ead@ecs.soton.ac.uk> wrote:
> >
> >> If the suggested minimal activity were possible and there was some way
> of
> >> alerting the user to the time passing, that would be a better solution
> >> than
> >> not being able to complete the task, as long as the security experts are
> >> happy.
> >>
> >> Best wishes
> >> E.A.
> >>
> >> Mrs E.A. Draffan
> >> WAIS, ECS , University of Southampton
> >> Mobile +44 (0)7976 289103 <+44%207976%20289103>
> >> http://access.ecs.soton.ac.uk<http://access.ecs.soton.ac.uk/>
> >> UK AAATE rep http://www.aaate.net/
> >>
> >>
> >> ________________________________
> >> From: David MacDonald [david@can-adapt.com]
> >> Sent: 09 February 2017 14:53
> >> To: WCAG; Jonathan Avila; Alastair Campbell; Glenda Sims; Gregg C
> >> Vanderheiden
> >> Subject: Timing Adjustable: does it apply to timeout from inactivity (no
> >> mouse, keyboard activity)
> >>
> >> I've been asked to comment on the newly proposed "timed events" SC. (1)
> >>
> >> What are other evaluators doing with time outs from inactivity? I've
> >> been
> >> recommending a warning before 20 seconds before the time out "Do you
> need
> >> more time" with "yes/no" buttons.
> >>
> >> But if the session stays open as long as the user is active, one might
> >> argue that the user extended the time limit simply by clicking,
> >> scrolling,
> >> typing ... if they did *nothing* it would time out in 15 minutes, but by
> >> using the mouse/keyboard at least every 14:59, they could stay in their
> >> account for up to 150 minutes.
> >>
> >> It's a significant question, because if that is the case then I'd say
> >> there is more flexibility with COGA's requests, which would deal with a
> >> *truly* timed events rather than a simple inactivity logout. Security
> >> people worry about an abandoned computer left open to others to exploit
> >> and
> >> don't like extending inactivity logouts.
> >>
> >> Thoughts?
> >>
> >> ==========
> >>
> >> (1) https://github.com/w3c/wcag21/issues/14
> >>
> >>
> >> Cheers,
> >> David MacDonald
> >>
> >>
> >>
> >> CanAdapt Solutions Inc.
> >>
> >> Tel: 613.235.4902 <(613)%20235-4902>
> >>
> >> LinkedIn
> >> <http://www.linkedin.com/in/davidmacdonald100>
> >>
> >> twitter.com/davidmacd<http://twitter.com/davidmacd>
> >>
> >> GitHub<https://github.com/DavidMacDonald>
> >>
> >> www.Can-Adapt.com<http://www.can-adapt.com/>
> >>
> >>
> >>
> >> Adapting the web to all users
> >>
> >> Including those with disabilities
> >>
> >> If you are not the intended recipient, please review our privacy policy<
> >> http://www.davidmacd.com/disclaimer.html>
> >>
> >
>
>
>