2.2.5 Re-authenticating Level AAA

When an authenticated session expires, the user can continue the activity without loss of data after re-authenticating.

[View on W3C.org]

Testing & Remediation

How to test: On a site that requires user login to submit data,
  1. Log in and begin the timed activity.
  2. Allow the session to time out.
  3. Submit the data.
  4. Re-authenticate.
  5. Check that the process can continue and be completed without loss of data, including the original data and any changes made after re-authentication.
How to remediate: There are a few ways to handle issues related to this success criterion. One such was is to refresh the server and keep the session alive. Monitor a few events, like keypress, clicks etc. This will refresh the session in a legitimate way, as long as it gives a clue that the user is there.
  • Use browser events to keep the session alive even before the form is submitted
  • If the session is about to expire, save as a draft.
  • If the session is expired, use a lightbox to get credentials again.

Questions and Answers