2.2.8 responses
Current SC Text
2.2.8 Where data can be lost due to user inactivity, users are warned at the start of a process about the length of inactivity that generates the timeout, unless the data is preserved for a minimum of 24 hours of user inactivity. (Level AAA)
Issue responses
Issue #403 KristinaEngland commented on Sep 28
Proposed Response
Kristina, thank you to you and the UMass team for your feedback. The updated version of this SC 2.2.8 does not include the ability to extend the length of time. The new language has been set at AAA because of the difficulty in accurately correlating and tracking user activity with server and client side activity.
Issue #448 and #475
mbgower commented 21 days ago "User inactivity" should likely be defined. For instance, does timing begin from a user login? What differences should be considered for server-side functionality versus client side? https://github.com/w3c/wcag21/issues/448
AidanA11y commented 20 days ago In practice this would be very hard to do. Timeouts are sometimes determined by mid-tier or back end calls and may not correspond directly to what a user perceives as activity such as scrolling or entering input. Moving to a new screen may not necessarily reset the timer. Also, some security approaches intentionally vary the length of the timeout without disclosing the time as a fraud prevention measure. https://github.com/w3c/wcag21/issues/475
Proposed Definition:
User Inactivity: Any continuous period of time where no user actions occur that trigger tracked client or sever activity. The method of tracking will be determined by the web site or application and should be consistent with the way the site or application determines time outs.
IBM comment 2 on 2.2.8 Timeouts #449
mbgower commented 29 days ago IBM supports users being notified of timeouts at the start of a process. However, IBM has mild concerns that the SC is not scoped. In example if a user is simply signing up as a new user and has 4 fields to fill in-- username, email address, password and password confirmation-- it seems onerous to insist that such a simple design must include text about timeouts.
Discuss There has been discussion of exempting log-in screens.
Issue #555
Filed by email 14 October 2017 by @JanRichards
Does this include un-submitted data (e.g. in text fields)?
Proposed response Yes. The phrase "...unless the data is preserved" includes user entered data that has not yet been submitted. If this exception is used, then data can be retained by saving every keystroke in an authenticated session, periodic autosaving, or saving the data at the point of timeout.
Success Criterion 2.2.8 Timeouts #351
GreggVan commented on Sep 1 Suggest that this be changed to 20 hours rather than 24 hours. When we examine this in WCAG 2.0 there was an issue that came up with holding data for 24 hours. Changing it to 20 or 22 or 23 hours will not have any significant impact on users but can address issues of holding information for more than a day. I wish I could find a reference but I looked and cannot
Recommend we change this to 20 hours
Proposal (before TPAC)
Timeouts (AA)
2.2.8 Where data can be lost due to user inactivity, users are warned at the start of a process about the length of inactivity that generates the timeout, unless the data is preserved for a minimum of 20 hours of user inactivity or the data is part of the log-in process. (Level AA)
Definition
User Inactivity: Any continuous period of time where no user actions occur that trigger tracked client or sever activity. The method of tracking will be determined by the web site or application and should be consistent with the way the site or application determines time outs.
Include in Understanding/Techniques Document:
Techniques to save data if the exception is used include:
- Saving every keystroke
- Auto-saving at regular intervals
- Saving data on timeout
Result of TPAC Discussion
Timeouts (AAA)
2.2.8 Where data can be lost due to user inactivity, users are warned about the estimated length of inactivity that generates the data loss, unless the data is preserved for a minimum of 20 hours of user inactivity.
Definition
User Inactivity: Any continuous period of time where no user activity occurs. The method of tracking user activity will be determined by the web site or application.
Include in Understanding/Techniques Document:
Techniques to save data if the exception is used include:
- Saving every keystroke
- Auto-saving at regular intervals
- Saving data on timeout
Also include a note that data entered into static forms that remain until the user leaves the page are out of scope of this SC as there is not a timeout in this situation.