Timeout warning #104
Comments
|
I had a chat with @hannalaakso and the example component still needs to be separated into: Timeout waring & Modal Dialogue (aka Modal window, pop-up). We recommend for now to look at both issues in the backlog. |
|
Context: The Patterns and Components team (now GOV.UK Design System team) built a prototype timeout warning component for user research and for exploring what it would take to publish a production ready component. Code for prototype that the team tested with. The below proposes guidance for the above mentioned timeout warning component that was tested Draft guidance for Timeout warning componentUse this component to warn users that their session is about to time out. A timeout warning helps services meet WCAG 2.0 success criterion 2.2.1 - that services warn users before a timeout occurs and allow them to extend it. Example:
When to use this componentThe timeout warning should appear 5 minutes before the timeout is due to occur. Follow the session timeout pattern to ensure your timeout is well designed. How it worksAfter a period of inactivity, the timeout warning is shown the user. The user is given a period of time to take action, with a count down to show amount of time left. The actions presented would typically be to continue with the application (thus resetting the timer), or a secondary action suitable to the service - such as cancelling the application or saving it. If the user does not choose to continue the application within the time limit, they will be redirected to a timeout page that explains what has happened and give options for how to continue. The session timeout pattern contains an example of this page. Services should watch for user activity and extend the timeout appropriately. This is particularly important for services or pages which may take users longer than the timeout duration to complete. How client side and server could potentially communicate - draftWhen the user loads a page, the server records this as the last interaction in the session.
Progressive enhancementUsers who have JavaScript enabled can extend their session. This is progressive enhancement since it is possible for users without JavaScript to use and interact with the service. No JavaScript solutionFor situations where the user does not have Javascript, the service could consider the following: Tell user by which time they'll need to have completed the form (include name of timezone) and hide this message with JavaScript. The following enhanced solution where user is able to extend their session without JavaScript was discussed but was deemed to add too much complexity: AccessibilityHaving a timeout warning helps services meet WCAG 2.0 success criterion 2.2.1 - that services warn users before a timeout occurs and allow them to extend it. Services should not limit the number of times users can extend their session. In addition, the timeout warning:
These are:
The first will warns that users will need to start again, whilst the second should advise how users can track / get more information about a completed application. Research on this componentWe carried out research lab sessions in autumn 2017 with various different types of users. Findings: Devices tested onChrome, Firefox, Safari (desktop) - latest version at the time of writing AccessibilityAT technology that the component has been tested with: On AT, the timer updates every 15 seconds. These timings are currently being reviewed by the GDS accessibility team. We have written accessibility acceptance criteria that was reviewed by GDS Accessibility team: List of accessibility attributes on the component:
More research needed to find out:The steps leading to the appearance and dismissal of the modal when user has site open across multiple tabs, see card User research on Timeout warning (from User research on Google DocsContext: The Patterns and Components team (now GOV.UK Design System team) built a prototype timeout warning component for user research and for exploring what it would take to publish a production ready component. The below details the findings from user research Timeout warning findings Overview We tested timeout warning with 17 users in total. You can find the guidance document for timeout warning here About timeout warningWe are building a modal dialog with a timeout warning. Also referred to as ‘session timeout warning’. It is basically a message that comes up on the screen after the user has been inactive for a period of time and warns them that their application or session will be timed out. It then should give the user a few options like continue with their application or perhaps cancel the application. We tested with three different options presented for the users:Continue with the application Example Why a modal dialog?Modal dialogs - better known as popups - are a window that appears on the screen and requires the user to interact with it before continuing. There’s a lot of guidance and discussion around modal dialogs and when not to use them. But they are useful when you need the user to focus on one task and one task alone. Often they are used to inform the users about something important that needs an action from them. For example, a good use case of modal dialogs could be divided into after two different types. The first type is when the user by an action has triggered it. For example this could be after the user has clicked on closing or deleting something. *** Replace with Gov example? And the second type is what we’ve been working on for the last couple of months - a timeout warning modal dialog that only comes up if the users has not performed any actions on the screen for an extended period of time. Our findings1st versionWe set this to appear after two minutes of inactivity, which we obviously understands is a very short and unrealistic time, but for the purpose of testing the component we felt it was fine. Instant but correct reactions? We also asked the users at that point or when it appeared later on what their understandings was about the modal dialog, and what their options were. When asked they all responded that the timeout warning had appeared to them not being active on the application. So in all cases it validated that they understood what it was for and why it had appeared on the screen. Mixed understandings When asked what would have happened to the information that they had already filled in if their application would have been timed out it appeared that not all users understood that their data would have been lost if they didn’t click on ‘Continue application’. This had us thinking, did the user really understand what their options were? Could we test this by adding another option on the modal that they could interact with? So we decided to tweak our component slightly and remove the ‘Cancel application’ button and instead replace it with a ‘Save application’ button instead. This was something a couple of the participants had also mentioned themselves during the session as something they’d like to have seen. 2nd versionUsers didn’t click on ‘save’ Users seem clear that it’s for security reasons SummaryUsers have high awareness of timeouts and timeout warnings We assume that the most common scenario for when a timeout warning will appear is if a user has left their computer to do something else. A timeout warning should not appear ifthe user has not progressed through a page after a long time but has still been active on it. For example, if they need to write something that is more complex than selecting a radio button the timeout needs to be longer. Modal dialogs works well for timeout warnings What is a reasonable time limit? Save and return? Outstanding research required:Additional testing with assistive technologies - general testing Additional research of interest:Additional testing with users of various access needs; Lab testingDesktop (windows), laptop (windows), iPhone, Android, iPad Devices tested onChrome, Firefox, Safari (desktop) - latest version at the time of writing Assistive technology tested withAT technology that the component has been tested with: |
|
that's amazing @hannalaakso thanks for this! |
|
The new WCAG 2.1 (Level AAA) guidelines specify that: "Users are warned of the duration of any user inactivity that could cause data loss, unless the data is preserved for more than 20 hours when the user does not take any actions." |
I should note that over the years we've had several reports from other services that have warned users upfront about timeouts and found that those users' concern was greatly increased - as generally they read it as '30 minutes to complete the application' rather than 30 minutes of inactivity. |
|
We've been discussing the service timeout pattern in our HMRC Working Group. At present, our timeout is set at 15 minutes by default and our discussion have mostly been around the legitimacy of increasing this to, for example, 30 minutes where there's a strong user need. Whether designers are able to do this or not is currently quite hazy, and we have been fielding requests that when this pattern is documented it is made more transparent that times can be increased and guidance is given about the process for doing this. I'm wondering - is this something that should be dealt with on a departmental level, or can this be covered within the GOV.UK Design System? |
|
Does anybody have any comments on Jennifer's question? |
|
Hi there, I think we can deal with the question of how to use session timeouts separately from the question of how/when to warn users that the timeout is going to happen. So I've raised a new issue and added it to the backlog: #207 |
|
Comment by @mikeash82, copied from #175 (duplicate issue): @gavinwye commented on 31 Jan 2017 Originally discussed on HMRC internal Slack by @adamfenwick in collaboration with @roblav @roblav commented on 9 Feb 2017 Feedback from Repayments project DAC report: Page refreshWCAG 2.0 References: WCAG 2.0 reference 2.2 - Enough time Pages that are refreshed periodically can cause access problems for people with disabilities. Some with disabilities simply need more time to finish reading a page or completing a form. Refreshing the page before the user has finished using it can be a very frustrating experience; particularly if the session is reset and any interaction with the page, such as a partially completed form is lost. Although we appreciate that session time-outs are important for security, these must not Result = Fail A time-out was present that resulted in users being logged out after a certain time of High priority ATechnical Comment: Time-out without warning Issue ID: DAC_TECH_Refresh_Issue1 Screen Shot: There is a time-out feature present on the service that does not warn users that this is the Issue ID: DAC-USER-SRTB-T1-02
Screen shot 2 showing time out message:
SolutionFor each time limit that is set by the content, at least one of the following is true: Turn off: The user is allowed to turn off the time limit before encountering it; or @roblav commented on 9 Feb 2017 Here's the pattern that was created by Jen Rahman and Billy Adamson.
We followed the guidance of Chris Moore, our very own Accessibility champion, about the implementation using a modal box, implementing our solution using the criteria that follows. Make sure the modal dialog box is accessible
Online references
@feedmypixel commented on 9 Feb 2017 @roblav thanks for the contribution. Some comments we had in slack that are worth exposing in this issue: IMO what is needed from session timeout:
Thoughts:
To start with I'd ask what is the user need? and how can we address this in a progressive and accessible way? A good read around modalshttps://developer.appway.com/screen/ShowSingleRecipe/selectedRecipeId/1390246496349 @adamliptrot-oc commented on 9 Feb 2017 Whilst inline alerts described by the linked article are generally preferable to dialogs, the difference between this and the examples cited is that those examples are the result of direct user interaction triggering the dialog and user focus is on the particular part of the screen where the alert will be inlined. Here we are talking about something which is not a result of user interaction and needs to be brought front-and-centre for the user. In addition, the examples don’t have any major consequences if the user does not interact with the dialog, whereas in the case of the timeout they can be signed out. What we don't want is for this dialog pattern to be taken as a reason to introduce more dialogs where inlined alerts would be preferable. So if progressed I think we'd need a set of preferred patterns developing to cover other instances where people might think to employ a dialog (such as those in the linked article). @adamliptrot-oc commented on 9 Feb 2017 I think the 20-hour exemption quoted in https://www.w3.org/TR/WCAG20/#time-limits feels a little arbitrary. @roblav commented on 9 Feb 2017 In response to your the above comments:
The content provided in the modal has been supplied by the content/design team, and has been approved by Chris Moore. It explains that it is for the users security that they will be signed out.
This isn't an issue as they are still on the page, at the same point in the service.
This happens already as required by the criteria given in Make sure the modal dialog box is accessible - on close, keyboard focus must be returned to the original point on the page @feedmypixel commented on 9 Feb 2017
@roblav thanks. My thoughts were about providing these needs without a modal. Then potentially there may be no need for one. @timsb commented on 23 Feb 2017 Hi all, I found this this morning and thought it might be helpful - http://blog.barrierbreak.com/2017/02/14/modal-dialogs-and-accessibility-a-tricky-minefield/ @david-mcdowell commented on 22 Mar 2017 Hi, I've recently created some new timeout screens for lost creds and 2SV registration. Lost creds - the user will see this error during a lost credentials flow. I think the inactivity is set to 7 minutes 2SV - this one is displayed when access code text (or call back) takes too long to arrive @david-mcdowell commented on 22 Mar 2017 We also use this one in the IV journey, usually appears if the user takes too long to find evidence options. e.g. they've gone to find a payslip to prove their identity and it takes too long.
@david-mcdowell commented on 22 Mar 2017 this one also got sent round the design team and I thought it was useful to inform my thinking.
@alex16wake commented on 25 Jul 2017 On SCRS we have a modal window that someone else has mentioned and we used this because it has been approved for accessibility and tested well with users when we did some scenario testing. Example below
@stevenaproctor commented on 26 Jul 2017 I think we need to look at the content of all these suggestions. There is a lot of jargon that could be made simpler. Things like timeout, inactivity, session are web jargon. For a modal, screen readers must announce the title and set focus to the link or button at the same time. Not all content may be read out. Something like: <title>For your security, you will be signed out in 1 minute. Stay signed in@gavinwye commented on 30 Aug 2017 Meeting notesAttendeesNotes
Actions
@chrismoorembe commented on 31 Aug 2017 I’ve taken a look at the proposed GDS time-out modal with JAWS 17 for Windows, and the current versions of VoiceOver screen reader for Mac and iOS. The first thing that struck me about the modal is that it has been coded to use the tag. This is great for ensuring it isn’t dependant on JavaScript, but fails to correctly work on those browsers that don’t fully support the dialog tag yet. The modal worked fine on Chrome, Firefox and the latest version of Safari on the Mac. Focus is moved to the action button to extend the session and there is a keyboard trap so non mouse users can’t stray outside the modal. When testing with IE11, the modal doesn’t behave completely as expected as there is no keyboard trap, and the button that has default focus is not automatically announced. Also, the modal completely falls over while using Safari on iOS. This is a deal breaker for me, as in the last GOV.UK assistive technology survey, both IE11 and Safari for iOS were the 2 most commonly used browsers with screen readers. Robert’s prototype worked across all browsers and assistive technologies and this was also independently tested by the Digital Accessibility Centre. I also feel that the content being used inside the modal is more verbose than it needs to be, and that having 3 actions falls short of simplicity. I also didn’t expect the ‘Cancel’ link to take me back to the GOV.UK home page. To keep things simple, I think there should be only one action within the modal to extend the time-out. The user should be able to trigger this by the escape key to dismiss the modal, activate the default action button by spacebar, enter, tap or mouse click. If the time out is extended, the user can either save their current information or continue with the application. If less idle the modal box will close the application and the user will b taken to a page that explains to the user what happened and why, and what they can do next. The timed out page on offer by GDS also enables the user to go back to the GOV.UK modal, so I feel that including ‘Cancel’ within the modal offers little value. The user also has the option to delete their data, but how this differs to the application being reset may not be clear to users. If the user chooses to leave the page, go back to the GOV.UK home page or close the application, we should automatically delete the data. The GDS wording for the time-out modal is: Alert:Your application will time out soon We will reset your application if you do not respond in 1 minute. We do this to keep your information secure. Useful additional information: you have not left the current page. If you close this modal, you will be able to continue with your current application. Continue application (button) Comment: This could be much simpler, less verbose and I don’t think real users will know what a modal is. Suggestion: "Alert:Your application will time out soon We will reset your application if you do not respond in 1 minute. We do this to keep your information secure. Continue using application (button)" When the user is finally kicked out for inactivity, they get the following message: <TITLE>You’ll have to start again</TITLE>Your application has timed-outWe have reset your application because you did not do anything for 10 minutes. We did this to keep your information secure. Start application againIf you don’t want to start again, you can Return to GOV.UK</link.
Comment: We usually advise that the page title and H1 should mirror each other, but they don’t in this pattern. Has it been determined that 10 minutes is all we now need to allow before a product or service times out? We are currently giving 15 minutes on HMRC services The wording above refers to the service as an application. Is this wording being used because the service is enabling the user to apply for something? Are we able to amend the wording to meet our BTA/PTA needs? For example: “ <TITLE>You’ve been signed out</TITLE>You’ve been signed outWe have signed you out of your account. because you did not do anything for 15 minutes. We did this to keep your information secure." I am not sure what timed out wording we are currently using within Robert’s prototypes, but I’ll leave the crafting to Steve and Fred.
@stevenaproctor commented on 31 Aug 2017 I worked with @roblav on the content of his alert and me and @rebekah-barry from DWP made suggestions to @edwardhorsford for GDS's. I totally agree with @chrismoorembe that the content is too long. Do people need that much explanation? Does it add value at that moment in time? We should avoid 'sorry' because we are not sorry, 'modal', 'timed out' or any kind of web jargon. There needs to be at least 2 versions: one for a service you are signed in to, and one where you are not. I have taken a look at the content we suggested and refined it a little. Hopefully this will help @fred-jackson. For a service you are signed in to The second sentence in the title is optional. If you have save and return you could say "Your details have been saved." The link should be under the green button not floating to the right of the button. That looks odd to me and means the button is on the left of the box and not full width like it is on a transaction page. For a service you are not signed in to Again, the link should be under the green button not floating to the right of the button. The link should take them to the service's start page. It is not logical to take them to GOV.UK because they may never have been there during their journey. When you have been signed out If they are signed in to the service: Title: You have been signed out Again, the second sentence in the paragraph is optional and could say "Your details have been saved." if the service has save and return. If they are not signed in to the service: Title: You will have to start again @edwardhorsford commented on 31 Aug 2017 Hi @chrismoorembe / @stevenaproctor @gavinwye , I worked on our modal design with @hannalaakso. She can hopefully take a look at the HMRC modal and your findings. Ideally we'd get the best of both. Our intention (and the bulk of the work) has been on accessibility. We've so far taken it through 2 rounds of user research, with 2 more to follow. So far it as worked very well, with some content tweaks in the last round. Understanding of it has been really high - everyone seems to know what 'timed out' means. Has anyone observed users using browser back when the modal opens? I'm planning adding something to the history when it opens so that if they do use browser back, they stay on the current page (and delete from history when closed). @chrismoorembe going through your comments in turn:
It's meant to - must be a bug. This is a similar implementation to the one I shared with you last year that you liked.
Sounds like a bug for @hannalaakso to look at. We intend to support a wide range of AT.
Agreed. I am going to work with our content designer on it. I don't think we need to say so much. We're trying to satisfy our accessibility acceptance criteria that users know when a modal has opened - I think we can do this whilst saying less.
I'd consider this placeholder / prototype. There will likely be a secondary link and it will likely go somewhere.
The intention is for there to be only one way to extend. Do you see more than one? I'm unsure whether
This is a artefact of the prototype. In a real service, once you've timed out, you won't be able to return to where you were.
Agreed - will talk with a content designer about this, and making it simpler.
I suspect many services will need / want a secondary action - either to quit the application, or to save and return later. This will be for services to decide.
This is a mistake in the prototype.
We're using an artificially short time in user research so the modal shows up more frequently. Ultimately the timeout will be for services to decide. I expect our guidance to be that it shouldn't be less than 15 minutes, ideally 30 minutes or more. We'll likely advise the timeout warning comes up 5 minutes before timeout.
Yes. Aspects of the wording will need to change depending on the type of service - particularly whether it includes any form of 'save and return'. We're hoping to have two sets of content - but services will obviously have to adapt these to suit their needs. There's actually a third case as well where users have successfully applied for a thing (and are on the completion page), but then time out. In that case, they don't need to start again, because they're done.
I'm unconvinced about this - we do it in several places on GOV.UK. Whats your thinking? FYI buttons are only full width on mobile, not on desktop. If you open this modal on mobile, you'll get a full width button.
I'm wary of this sentence - I don't think it's clear how you might go about 'sending' something or what the user needs to do. They can't actually send or save anything from this page - so what are they meant to do with this sentence? The real answer is that if they do nothing, any information on the current page will be lost. @stevenaproctor commented on 31 Aug 2017
This is a good point. You could drop the optional line or put something in to reassure them that we still have whatever it is. This would need to follow through to the timed out page.
Great that you get a full width button on a mobile. I think having a button and a link next to one another looks odd because they are so different to one another. Two buttons next to each other looks OK. Floating the link in the middle of the button may be bad for horizontal scanning in the same way that vertically aligning content to the middle of a cell is bad in a table. It definitely stops me when I see it like this.
I agree this could be better but it is optional. All of the services I have worked on have a ‘confirm and send’ button at the end. The GDS content style guide says 'send' is better than 'file' or 'submit'. This is what I mean by 'sending'. It is not just information on the current page you may lose. You could be 20 screens into a 21 screen journey and lose everything if you are timed out. It depends on the service. A tax credits version because we do not have save and return would be something like ‘Any changes you do not confirm and send will be deleted.’ @gavinwye commented on 31 Aug 2017 I think the next steps are to get the HMRC version of this built into the pattern library prototype taking account of all the feedback above and we can then discuss once we have something to look at. @hannalaakso commented on 8 Sep 2017 Hi @gavinwye Thanks for taking a look at the modal prototype. We are actively developing and testing it, it’s not yet entered our alpha phase so we are cataloguing and prioritising bug fixes. We've got a card in the backlog for the IE11 issue where the focus gets lost when you tab "past" the modal. I'm reviewing the iOS VoiceOver bug. I did testing on VoiceOver before but the timer countdown was a late addition and I kept tweaking it for AT so I suspect that could be the reason. The component takes advantage of the native dialog element and polyfills with Google's Modal Dialog polyfill for browsers that don't support the dialog element. We’ve so far found the combination to be robust in cross browser/device and AT testing. I wrote some accessibility acceptance criteria for the component: I sent this to the X-Gov Accessibility mailing list for review and it was reviewed by our Accessibility team here too. The modal currently fails number 7 since no browser supports this. HMRC modal: We did some AT testing on the link you provided for the modal. A couple of bugs were discovered: On NVDA + Firefox 53.0.3 + Windows 10, the contents of the modal do not get read out so there is no AT notification that a timeout is about to happen. On iOS + Safari and Jaws 18.0 + IE11, the count down only gets read out only once “For your security, you’ll be signed out in 1 minute” before time out. The user would miss hearing this first announcement if they return to the application after the modal is triggered. We’re getting around the above by announcing the changed countdown time once a minute to screen readers until the count is down to the last minute which is when we announce every 20 seconds and then every 10 seconds for the last 30 seconds. These timings are still due to be reviewed but that's the general idea. Really happy to share work and thinking. @adamliptrot-oc commented on 8 Sep 2017 Something to be aware of if using js to count down, is that browsers will 'sleep' tabs which are not in focus (eg not the active tab in a window), which will throw out this timing. @edwardhorsford commented on 8 Sep 2017 Thanks @adamliptrot-oc good advice. I think we're going to have to do more work on how we calculate the times - really the decision of when / whether to timeout is something for the server. The timeout should ultimately be communicating with the server to know when to display / delay. @roblav commented on 8 Sep 2017 I've created a PR for the HRMC version which looks like this,
User ResearchThe pattern was tested in July 2017 with 5 users. Two of them have special needs: one is dyslexic, and the other was 70 at the time of testing. The 5 users understood the message and managed to used it – all of them stayed signed in. Browser & device testingThis pattern has been browser and device tested based on the following the GDS guidelines Accessibility testingThe modal works fine with ZoomText. The modal to be fully accessible and both visually and audibly accurate. Configuration options:To make the session timeout modal as useful as possible there are default settings with the options to pass in custom values. Here is an overview of those configuration options.
@gavinwye commented on 8 Sep 2017 A thought. The configuration of the time out is good for a per service basis as not all services will have the same requirements for this. @stevenaproctor commented on 11 Sep 2017 I still think the content is too passive. title: We are about to sign you out message: For your security, we will sign you out of this service in 2 minutes. Is the title and the message read out automatically by a screen reader? Or do you have to go through the dialog the way you would go through a screen? @stevenaproctor commented on 25 Oct 2017 @gavinwye Do we need a separate pattern for the timed out page we send someone to? @gavinwye commented on 25 Oct 2017
@gavinwye commented on 30 Oct 2017 @stevenaproctor commented on 16 Jan 2018 @roblav This has been added to the design system as a work in progress. See http://hmrc.github.io/assets-frontend/components/timeout-dialog/index.html We will still need to work on the documentation and the wider timeout pattern. @lizhitchcock commented on 10 May 2018 Similarly I think it's OK to say For your security we cleared your details (but never OK to say 'Explore GOV.UK - it's not a mysterious mansion). @stevenaproctor commented on 16 May 2018 I totally agree about the 'Explore GOV.UK' link. I have always thought it odd when it appears on sign out pages and error pages. @stevenaproctor commented on 10 Oct 2018 This is on the GOV.UK Design System backlog. There are 3 relevant issues. |
|
Comment by @kim-code, copied from #175 (duplicate issue): In relation to this, we have received a DAC report stating that we should be warning the user BEFORE this pattern even appears, that there is a timeout feature in place, potentially at the start of a service. Is this something that has been implemented elsewhere? Worth noting that this is a AAA standard, so classed as "low" priority, but none the less a becoming a more common comment in DAC reports. |
|
Comment by @edwardhorsford, copied from #175 (duplicate issue):
I'd be cautious about this - something to test. I've heard several times from other services that putting mention of things like this up front concerns / scares users. They frequently misunderstand the meaning of timeout - and for a 30 minute timeout think they'll have a limit of 30 minutes to complete their application rather than them needing to have 30 minutes of inactivity and have unlimited time overall. Timeouts depend heavily on the service - for many services you can fill them in quickly and will rarely encounter the timeout - for these services, warning up front may unduly concern users where they wouldn't otherwise worry. For services where you're more likely to encounter the timeout it's more important to talk about what information you might need up front and for the service team to consider how users might recover / continue their application (accounts, save & return, codes and whatnot). |
|
Comment by @terrysimpson99, copied from #175 (duplicate issue): I'm happy to see the phrase "Ultimately the timeout will be for services to decide. I expect our guidance to be that it shouldn't be less than 15 minutes, ideally 30 minutes or more. ". What would happen if we acted on that? |
|
Comment by @terrysimpson99, copied from #175 (duplicate issue): There's a 30 minute timeout on the following service: |
|
Comment by @terrysimpson99, copied from #175 (duplicate issue): There's a 1 hour timeout on |
|
Comment by @terrysimpson99, copied from #175 (duplicate issue): The current timeout can result in user being timed out 121 seconds after being active (e.g. a key press). This is barely enough to answer the door, make a cup of tea, or have a call of nature. Has anyone developed a timeout (perhaps client-based) that measures user activity (key presses, mouse moves)? |
|
Comment by @titlescreen, copied from #175 (duplicate issue): @terrysimpson99 we have not. We show the timeout popup after 30 minutes. When we send someone off to verify we extend this to 60 minutes which allows almost all our users to try a couple of providers and hopefully get through. |
|
I think those upfront warnings are potentially confusing. In those examples it says "if you do not enter" and "if you don't do anything". Unless those services are doing something with mouse movement or keypress checking extending the session, there is the possibility the user will see this required "activity" as something different to that expected i.e. the actual submission of data. |
|
@adamliptrot-oc I suggested a solution using javascript here: |
|
I had a chat with a team last week about timeout warnings and what to do if users don't have javascript. My understanding is this wouldn't be a technical WCAG failure - as WCAG doesn't require pages to work without js. But we still want to design for progressive enhancement so ideally would do something. An idea I had was to combine an in-page banner which gives the time of the timeout (can’t use a clock as no js), combined with a meta refresh. Importantly, we then hide this banner using a CSS transition. We set the css transition time to the time we want the banner to appear. So after X minutes on the page, this banner appears. If any team tries this we'd obviously want to investigate how it might appear to AT - we wouldn't its content exposed before the time, and ideally would like it announced to screen readers when it's revealed. This obviously requires CSS but I think could represent a reasonable solution to doing something for non js. |
|
Hey @edwardhorsford on Claim a payment, we had a CSS solution that would basically start an animation that did nothing for e.g. the first 29 minutes, then it would animate to show the timeout. I think some JS also called attention to the alert via an ARIA property. It wasn't perfect but at least it worked for people without JS who also did not have sever visual issues. |
|
@titlescreen yeah, that sounds like a similar idea. Do you have a link to it? |
|
i had a similar thought about replacing a modal window with a notification banner some time ago when there were concerns over accessibility issues with the modal. One thing that might need to be considered - if you set off a timeout banner you might need to pull focus on the page to the banner - in other words, if the user is at the foot of the page and the notification banner appears at the top - would you need a method of 'scroll to' the banner (if it's appearing at the top of the page) so the user has focus on the banner? Im not sure if that is achievable without JS - however my thought is that a banner method might be better than the modal. Also, would the user need to explicitly dismiss the banner notification Or would they be abe to refocus on an input field, for example, which would then dismiss the banner and reset the clock? |
|
Hey @govuk-design-system @hannalaakso. We're working on adding the timeout warning modal dialog to the HMPO online application. The demo requires a username and password. Would be able to send that to me, please? |
|
@veerazazi It's patterns/components. Do note that it's only a prototype and from 4 years ago. There's a bit more detail here about how it tested with users at the time: #104 (comment) |
|
@titlescreen @edwardhorsford would you have links to the implementations you did for the session timeout popups? |
|
@matthewford unfortunately I have moved on to a different job since then. It was in the claim an additional payment for teaching maths and physics service for DfE Manchester. You may be able to speak to Nick Jackson from dxw as I worked with him on the service. |
|
@titlescreen Many thanks, if anyone else is interested the repo is here: https://github.com/DFE-Digital/claim-additional-payments-for-teaching |
|
For the record - this pain point was mentioned for users of 'Pension Schemes Online' (will become 'Managing Pension Schemes'): "One user in particular asks a colleague to sit at their desk and wiggle the mouse while they take a break as they fear their machine would go to sleep and the pension schemes online service would crash, in turn losing all of the data that they had entered that day." |
christopherthomasdesign
moved this to Not published
in GOV.UK Design System: Discuss styles, components and patterns
|
I've been investigating an issue with the modal window in the search on GOV.UK (which opens when you click 'Filter' when in mobile view). I thought I'd share because this will affect lots of other modal windows (including the one in the ARIA Authoring Practices Guide). It turns out that neither VoiceOver on iOS nor TalkBack on Android support This can be avoided by polyfilling (I've also shared this in #30.) |
What
Warn users that their session is about to time out and let them extend it if possible.
Why
All services that use sessions already use, or should use this pattern.
Anything else
Related patterns
#103 Timeout page
The text was updated successfully, but these errors were encountered: