"User Inactivity" on 2.2.8


We have two comments on SC 2.2.8 regarding user inactivity, which I've included at the bottom for your reference.

The concern is whether user inactivity applies to server-side, client-side or both.  From a end user's perspective, I believe user inactivity would include both server-side and client-side activity, but from an implementation standpoint defining it as such will put a greater burden on the developers to track client side actions that they are not currently tracking.

Since this is currently a AAA, I suggest we define user inactivity as including both client and server side activity.




2.2.8 Where data can be lost due to user inactivity, users are warned at the start of a process about the length of inactivity that generates the timeout, unless the data is preserved for a minimum of 24 hours of user inactivity.  (Level AAA)

Comment 1:

"User inactivity" should likely be defined. For instance, does timing begin from a user login? What differences should be considered for server-side functionality versus client side?

Comment 2:
In practice this would be very hard to do. Timeouts are sometimes determined by mid-tier or back end calls and may not correspond directly to what a user perceives as activity such as scrolling or entering input. Moving to a new screen may not necessarily reset the timer.

Received on Sunday, 29 October 2017 22:12:05 UTC