Best practices for time out (log out) warning

5 May 2009 - 10:39am
5 years ago
4 replies
3359 reads
R Sengers
2008

For a web-based password-protected site with sensitive information, the user
usually is logged out after a period of inactivity. (In part, this is to
prevent others from seeing/changing the data on their screen, if the user is
on coffee break.) Ideally, the user would be warned before the time-out,
with an option to extend the time.

What are the best practices for this time-out warning?

Note that the user may have multiple browser windows/tabs open (with other
web sites) or may be working in a desktop application. Should they be
interrupted or not? (In this particular application, some users use it
periodically throughout the day, for time-sensitive critical tasks.)

What should the warning's format be? Options include:
- Small popup window (a new browser window). Means users with popups blocked
might not see it.
- JavaScript dialog that is visible no matter how many browser windows you
have open (I think this is referred to as application-modal?)
- "Overlay" modal div layer in the app's web page
- Anything else?

(BTW In this particular application, users are prevented from tabbed
browsing - so they never have multiple windows open for the same app).

And best practices for the layout and wording of the warning?

Thanks!
Rachel

Comments

5 May 2009 - 12:13pm
Anonymous

new-bounces at ixda.org wrote on 05/05/2009 04:39:17 AM:

> For a web-based password-protected site with sensitive information, the
user
> usually is logged out after a period of inactivity. (In part, this is to
> prevent others from seeing/changing the data on their screen, if the user
is
> on coffee break.) Ideally, the user would be warned before the time-out,
> with an option to extend the time.

I've always been a little leery about extending the time-out. If the use of
the website is primarily for not-so-critical applications like, say, my
login on a knitting forum or something, then yeah, I don't mind a time-out
warning.

But for critical applications like banking, credit cards, or even
social-networking apps where my reputation is on the line, it always
bothered me. (And of course financial sites are where I most often see it
implemented.) If I-the-scammer walk up to your computer while you're away
and I get a prompt to extend the session and prevent time-out, I've now
bought myself X minutes of free hack-your-stuff time while you're gone.
Isn't the point of timing me out that I have to prove I'm the right user
before I can regain access to the site?

That being said, I usually see the warning in a pop-up window or modal
layer. I prefer a layer because it doesn't disrupt whatever else the use is
doing, which in the user's mind is probably more important or they would be
paying more attention to the site in question.

anne gibson

----------------------------------------------------------------------
CONFIDENTIALITY STATEMENT. The information contained in this e-mail message, including attachments, is the confidential information of, and/or is the property of, Vanguard. The information is intended for use solely by the individual or entity named in the message. If you are not an intended recipient or you received this in error, then any review, printing, copying, or distribution of any such information is prohibited, and please notify the sender immediately by reply e-mail and then delete this e-mail from your system.

8 May 2009 - 2:50pm
R Sengers
2008

The time warning and extension is helpful because:
- It can be frustrating (when doing critical tasks) to be logged out, then
have to log back in and go back to where you were
- Needed for Section 508 accessibility reasons (gives users more time to
complete tasks)

The scammer can extend the session simply by clicking anywhere on the web
page. So not showing the time out message doesn't prevent that (although you
can argue the message gives them a heads-up that they need to click). I
guess you make the timeout message modal, and user needs to enter their
password to continue - but that's extra work for the user.

Anne wrote:

>
> I've always been a little leery about extending the time-out. If the use of
> the website is primarily for not-so-critical applications like, say, my
> login on a knitting forum or something, then yeah, I don't mind a time-out
> warning.
>
> But for critical applications like banking, credit cards, or even
> social-networking apps where my reputation is on the line, it always
> bothered me. (And of course financial sites are where I most often see it
> implemented.) If I-the-scammer walk up to your computer while you're away
> and I get a prompt to extend the session and prevent time-out, I've now
> bought myself X minutes of free hack-your-stuff time while you're gone.
> Isn't the point of timing me out that I have to prove I'm the right user
> before I can regain access to the site?
>

Rachel wrote:

For a web-based password-protected site with sensitive information, the
> user
> usually is logged out after a period of inactivity. Ideally, the user would
> be warned before the time-out,
> with an option to extend the time.
>

8 May 2009 - 2:53pm
R Sengers
2008

Does anyone have thoughts on doing a popup window (new browser window) vs.
an application-modal JavaScript dialog for the timeout message? (the message
warns user that session is about to time out, with option to extend the
session).

It's important (in this situation) that users see the message, so overlay
doesn't work well. Popup window looks friendlier than JavaScript dialog, but
may be blocked by popup blockers.

One option might be to show popup first, then if no response show the
JavaScript dialog right before the session expires.

9 May 2009 - 11:46am
DampeS8N
2008

You can't make people be secure. You can only help mitigate the
damages when their insecurity causes them. Invest time in dealing
with what will happen if the user leaves their laptop open to their
bank account at starbucks and then goes to the bathroom.

It is going to happen. So offer a way to make it unhappen. Which
might mean calling you with some non-computer controllable
information. Don't expose their credit card numbers in the app, why
would you need to? Don't give people who break in the ability to
steal the person's identity. They know who they are. That "Hi Mike
Wallace" doesn't need to be there. They may send off all the
user's money to some other bank account, and they may then change
the password so the user can't get back in. So you setup a hotline
the user can call and fix the problem.

In short. Make the app safer for the user if he is an idiot and lets
other people get in and make the actions taken reversible. Such as
putting a delay on transactions.

These are all just off the top of my head. My point is that this
concept of logging the user out automatically almost assuredly only
annoys people or gives them a false sense of security.

And it is a cheap hack way to avoid the harder job of making the
internals of the app less vulnerable.

Sooo... I guess my best practice is to not do it at all.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=41760

Syndicate content Get the feed