RE: Timing Adjustable: does it apply to timeout from inactivity (no mouse, keyboard activity)

You are right that "preserving all of the data entered and steps completed by the user, and allowing them to return to the step at which they were forcibly logged out" is really the same as what SC 2.2.5 proposes - but unfortunately it is only AAA. However, Jason White is right when he highlights the importance of this aspect of the proposal and says it "is an aspect of the proposal that should be supported in relation to time limits for which it makes sense."

What might be good is to see if it is possible to break this out and "identify the time limits for which it makes sense", include those in the scope, and create a new success criteria that elevates this to at least AA, preferably to A.

I'd be happier to imagine a world where some users are unavoidably timed out of sessions (for security reasons or reasons beyond their control) but where they could always guarantee to re-enter the session at the same point without having lost any entered information and choices made.

Best regards

Mike

From: Sailesh Panchang [mailto:sailesh.panchang@deque.com]
Sent: 09 February 2017 16:21
To: David MacDonald <david@can-adapt.com>
Cc: EA Draffan <ead@ecs.soton.ac.uk>; WCAG <w3c-wai-gl@w3.org>; Jonathan Avila <jon.avila@ssbbartgroup.com>; Alastair Campbell <acampbell@nomensa.com>; Glenda Sims <glenda.sims@deque.com>; Gregg C Vanderheiden <greggvan@umd.edu>
Subject: Re: Timing Adjustable: does it apply to timeout from inactivity (no mouse, keyboard activity)

If the user fails to convey activity or to respond to the 'Continue
session?' dialog then it is ok to be timed out.
If the application is going to permit one to extend session say a
limited number of times, then it is important for the dialog to convey
that. i.e. "Continue session? (8 attempts left)'

I usually recommend pretty much what the WCAG says: "Warn the user
before time expires and give the user at least 20 seconds to extend
the time limit with a simple action (for example, "press the space
bar"). Show this warning a few times as considered reasonable (WCAG
suggests at least ten times)".
Content authors can then balance security and accessibility requirements.

By the way, I find some applications do a poor job of sensing
activity and the popup appears even as one is interacting with an
application: even apps that for which timing is not criticaal, like
entering data into an online tax app as against an online ticket
purchase site.

Is what Jason requests, "preserving all of the data entered and steps
completed by the user, and allowing them to return to the step at
which they were forcibly logged out" not the same as what SC 2.2.5
suggests?
Thanks and regards,
Sailesh Panchang

On 2/9/17, David MacDonald <david@can-adapt.com><mailto:david@can-adapt.com%3e> wrote:
>> If the suggested minimal activity were possible and there was some way of
> alerting the user to the time passing, that would be a better solution than
> not being able to complete the task, as long as the security experts are
> happy.
>
> In the scenario I'm interested in, the session says open while the user is
> active in the program. It would only time out if they didn't interact with
> the page for 15 minutes. So the clock is not counting down while they are
> interacting with the site, only when they are not interacting with it.
>
> Cheers,
> David MacDonald
>
>
>
> *Can**Adapt* *Solutions Inc.*
> Tel: 613.235.4902
>
> LinkedIn
> <http://www.linkedin.com/in/davidmacdonald100><http://www.linkedin.com/in/davidmacdonald100%3e>
>
> twitter.com/davidmacd
>
> GitHub <https://github.com/DavidMacDonald><https://github.com/DavidMacDonald%3e>
>
> www.Can-Adapt.com<http://www.Can-Adapt.com> <http://www.can-adapt.com/><http://www.can-adapt.com/%3e>
>
>
>
> * Adapting the web to all users*
> * Including those with disabilities*
>
> If you are not the intended recipient, please review our privacy policy
> <http://www.davidmacd.com/disclaimer.html><http://www.davidmacd.com/disclaimer.html%3e>
>
> On Thu, Feb 9, 2017 at 10:18 AM, EA Draffan <ead@ecs.soton.ac.uk><mailto:ead@ecs.soton.ac.uk%3e> wrote:
>
>> If the suggested minimal activity were possible and there was some way of
>> alerting the user to the time passing, that would be a better solution
>> than
>> not being able to complete the task, as long as the security experts are
>> happy.
>>
>> Best wishes
>> E.A.
>>
>> Mrs E.A. Draffan
>> WAIS, ECS , University of Southampton
>> Mobile +44 (0)7976 289103
>> http://access.ecs.soton.ac.uk<http://access.ecs.soton.ac.uk/><http://access.ecs.soton.ac.uk/%3e>
>> UK AAATE rep http://www.aaate.net/
>>
>>
>> ________________________________
>> From: David MacDonald [david@can-adapt.com<mailto:david@can-adapt.com>]
>> Sent: 09 February 2017 14:53
>> To: WCAG; Jonathan Avila; Alastair Campbell; Glenda Sims; Gregg C
>> Vanderheiden
>> Subject: Timing Adjustable: does it apply to timeout from inactivity (no
>> mouse, keyboard activity)
>>
>> I've been asked to comment on the newly proposed "timed events" SC. (1)
>>
>> What are other evaluators doing with time outs from inactivity? I've
>> been
>> recommending a warning before 20 seconds before the time out "Do you need
>> more time" with "yes/no" buttons.
>>
>> But if the session stays open as long as the user is active, one might
>> argue that the user extended the time limit simply by clicking,
>> scrolling,
>> typing ... if they did *nothing* it would time out in 15 minutes, but by
>> using the mouse/keyboard at least every 14:59, they could stay in their
>> account for up to 150 minutes.
>>
>> It's a significant question, because if that is the case then I'd say
>> there is more flexibility with COGA's requests, which would deal with a
>> *truly* timed events rather than a simple inactivity logout. Security
>> people worry about an abandoned computer left open to others to exploit
>> and
>> don't like extending inactivity logouts.
>>
>> Thoughts?
>>
>> ==========
>>
>> (1) https://github.com/w3c/wcag21/issues/14
>>
>>
>> Cheers,
>> David MacDonald
>>
>>
>>
>> CanAdapt Solutions Inc.
>>
>> Tel: 613.235.4902
>>
>> LinkedIn
>> <http://www.linkedin.com/in/davidmacdonald100><http://www.linkedin.com/in/davidmacdonald100%3e>
>>
>> twitter.com/davidmacd<http://twitter.com/davidmacd><http://twitter.com/davidmacd%3e>
>>
>> GitHub<https://github.com/DavidMacDonald><https://github.com/DavidMacDonald%3e>
>>
>> www.Can-Adapt.com<http://www.can-adapt.com/><http://www.can-adapt.com/%3e>
>>
>>
>>
>> Adapting the web to all users
>>
>> Including those with disabilities
>>
>> If you are not the intended recipient, please review our privacy policy<
>> http://www.davidmacd.com/disclaimer.html><http://www.davidmacd.com/disclaimer.html%3e>
>>
>


________________________________

Received on Thursday, 9 February 2017 16:57:59 UTC