2.2.6 Timeouts Level AAA

Users are warned of the duration of any user inactivity that could cause data loss, unless the data is preserved for more than 20 hours when the user does not take any actions.

*Privacy regulations may require explicit user consent before user identification has been authenticated and before user data is preserved. In cases where the user is a minor, explicit consent may not be solicited in most jurisdictions, countries or regions. Consultation with privacy professionals and legal counsel is advised when considering data preservation as an approach to satisfy this success criterion.

[View on W3C.org]

Testing & Remediation

How to test: Begin a workflow on your site (filling out a form, starting a purchase, etc) and ensure that users are warned about timeouts due to inactivity. How to remediate:
  • Setting a session timeout to occur following at least 20 hours of inactivity.
  • Store user data for more than 20 hours.
  • Provide a warning of the duration of user inactivity at the start of a process.

Questions and Answers