Re: Timing Adjustable: does it apply to timeout from inactivity (no mouse, keyboard activity) from Sailesh Panchang on 2017-02-09 (w3c-wai-gl@w3.org from January to March 2017)

From: Sailesh Panchang <sailesh.panchang@deque.com>
Date: Thu, 9 Feb 2017 11:21:09 -0500
To: David MacDonald <david@can-adapt.com>
Cc: EA Draffan <ead@ecs.soton.ac.uk>, WCAG <w3c-wai-gl@w3.org>, Jonathan Avila <jon.avila@ssbbartgroup.com>, Alastair Campbell <acampbell@nomensa.com>, Glenda Sims <glenda.sims@deque.com>, Gregg C Vanderheiden <greggvan@umd.edu>
Message-ID: <CAJi9CqpW_21Zz5qm0VaBAK4Cx7mwU4g3Q0eJswAuUVeZNgRaiw@mail.gmail.com>

If the user fails to convey activity or  to respond to the 'Continue
session?' dialog then it is ok to be timed out.
If the application is  going to permit one to extend session say a
limited number of times, then it is important for the dialog to convey
that. i.e. "Continue session? (8 attempts left)'

I usually recommend pretty much what the WCAG says: "Warn the user
before time expires and give the user at least 20 seconds to extend
the time limit with a simple action (for example, "press the space
bar"). Show this warning a few times as considered reasonable (WCAG
suggests at least ten times)".
Content authors can then balance security and accessibility  requirements.

By the way, I find some applications  do a poor job of sensing
activity and the popup appears even as one is interacting with an
application: even apps that for which timing is not criticaal, like
entering data into an online tax app as against an online ticket
purchase site.

Is what Jason  requests, "preserving all of the data entered and steps
completed by the user, and allowing them to return to the step at
which they were forcibly logged out" not the same as what SC 2.2.5
suggests?
Thanks and regards,
Sailesh Panchang

On 2/9/17, David MacDonald <david@can-adapt.com> wrote:
>> If the suggested minimal activity were possible and there was some way of
> alerting the user to the time passing, that would be a better solution than
> not being able to complete the task, as long as the security experts are
> happy.
>
> In the scenario I'm interested in, the session says open while the user is
> active in the program. It would only time out if they didn't interact with
> the page for 15 minutes. So the clock is not counting down while they are
> interacting with the site, only when they are not interacting with it.
>
> Cheers,
> David MacDonald
>
>
>
> *Can**Adapt* *Solutions Inc.*
> Tel:  613.235.4902
>
> LinkedIn
> <http://www.linkedin.com/in/davidmacdonald100>
>
> twitter.com/davidmacd
>
> GitHub <https://github.com/DavidMacDonald>
>
> www.Can-Adapt.com <http://www.can-adapt.com/>
>
>
>
> *  Adapting the web to all users*
> *            Including those with disabilities*
>
> If you are not the intended recipient, please review our privacy policy
> <http://www.davidmacd.com/disclaimer.html>
>
> On Thu, Feb 9, 2017 at 10:18 AM, EA Draffan <ead@ecs.soton.ac.uk> wrote:
>
>> If the suggested minimal activity were possible and there was some way of
>> alerting the user to the time passing, that would be a better solution
>> than
>> not being able to complete the task, as long as the security experts are
>> happy.
>>
>> Best wishes
>> E.A.
>>
>> Mrs E.A. Draffan
>> WAIS, ECS , University of Southampton
>> Mobile +44 (0)7976 289103
>> http://access.ecs.soton.ac.uk<http://access.ecs.soton.ac.uk/>
>> UK AAATE rep http://www.aaate.net/
>>
>>
>> ________________________________
>> From: David MacDonald [david@can-adapt.com]
>> Sent: 09 February 2017 14:53
>> To: WCAG; Jonathan Avila; Alastair Campbell; Glenda Sims; Gregg C
>> Vanderheiden
>> Subject: Timing Adjustable: does it apply to timeout from inactivity (no
>> mouse, keyboard activity)
>>
>> I've been asked to comment on the newly proposed "timed events"  SC. (1)
>>
>> What are other evaluators doing with time outs from inactivity?  I've
>> been
>> recommending a warning before 20 seconds before the time out "Do you need
>> more time" with  "yes/no" buttons.
>>
>> But if the session stays open as long as the user is active, one might
>> argue that the user extended the time limit simply by clicking,
>> scrolling,
>> typing ... if they did *nothing* it would time out in 15 minutes, but by
>> using the mouse/keyboard at least every 14:59, they could stay in their
>> account for up to 150 minutes.
>>
>> It's a significant question, because if that is the case then I'd say
>> there is more flexibility with COGA's requests, which would deal with a
>> *truly* timed events rather than a simple inactivity logout. Security
>> people worry about an abandoned computer left open to others to exploit
>> and
>> don't like extending inactivity logouts.
>>
>> Thoughts?
>>
>> ==========
>>
>> (1) https://github.com/w3c/wcag21/issues/14
>>
>>
>> Cheers,
>> David MacDonald
>>
>>
>>
>> CanAdapt Solutions Inc.
>>
>> Tel:  613.235.4902
>>
>> LinkedIn
>> <http://www.linkedin.com/in/davidmacdonald100>
>>
>> twitter.com/davidmacd<http://twitter.com/davidmacd>
>>
>> GitHub<https://github.com/DavidMacDonald>
>>
>> www.Can-Adapt.com<http://www.can-adapt.com/>
>>
>>
>>
>>   Adapting the web to all users
>>
>>             Including those with disabilities
>>
>> If you are not the intended recipient, please review our privacy policy<
>> http://www.davidmacd.com/disclaimer.html>
>>
>

Received on Thursday, 9 February 2017 16:21:44 UTC