Another timeout consideration

	Guideline 2.2 doesn't obviously cover an important scenario -
that of an authenticated session suffering an inactivity timeout,
particularly if this happens when the user submits a form.  I would
suggest that when this happens:

a) it should be clear to the user what has happened.
b) the user should be given the opportunity to re-authenticate themselves.
c) once they are re-authenticated they should be presened with the same
   "page" as they would have received if the timeout had not occurred.
   In particular, any form input should be carried across the
   authentication process, so that it does not have to be re-entered.

Hope this helps.

-----------------------------------------------------------------
Dr Philip J. Naylor AFRSPSoc,
Scientific Computer Support Officer,
Department of Engineering Mathematics,
University of Bristol.

Received on Wednesday, 18 May 2005 15:34:13 UTC