Best practices for time out (log out) warning

5 May 2009 - 10:39am
6 years ago
4 replies
5254 reads
R Sengers
2008

For a web-based password-protected site with sensitive information, the user
usually is logged out after a period of inactivity. (In part, this is to
prevent others from seeing/changing the data on their screen, if the user is
on coffee break.) Ideally, the user would be warned before the time-out,
with an option to extend the time.

What are the best practices for this time-out warning?

Note that the user may have multiple browser windows/tabs open (with other
web sites) or may be working in a desktop application. Should they be
interrupted or not? (In this particular application, some users use it
periodically throughout the day, for time-sensitive critical tasks.)

What should the warning's format be? Options include:
- Small popup window (a new browser window). Means users with popups blocked
might not see it.
- JavaScript dialog that is visible no matter how many browser windows you
have open (I think this is referred to as application-modal?)
- "Overlay" modal div layer in the app's web page
- Anything else?

(BTW In this particular application, users are prevented from tabbed
browsing - so they never have multiple windows open for the same app).

And best practices for the layout and wording of the warning?

Thanks!
Rachel

Comments

8 May 2009 - 2:50pm
R Sengers
2008

The time warning and extension is helpful because:
- It can be frustrating (when doing critical tasks) to be logged out, then
have to log back in and go back to where you were
- Needed for Section 508 accessibility reasons (gives users more time to
complete tasks)

The scammer can extend the session simply by clicking anywhere on the web
page. So not showing the time out message doesn't prevent that (although you
can argue the message gives them a heads-up that they need to click). I
guess you make the timeout message modal, and user needs to enter their
password to continue - but that's extra work for the user.

Anne wrote:

>
> I've always been a little leery about extending the time-out. If the use of
> the website is primarily for not-so-critical applications like, say, my
> login on a knitting forum or something, then yeah, I don't mind a time-out
> warning.
>
> But for critical applications like banking, credit cards, or even
> social-networking apps where my reputation is on the line, it always
> bothered me. (And of course financial sites are where I most often see it
> implemented.) If I-the-scammer walk up to your computer while you're away
> and I get a prompt to extend the session and prevent time-out, I've now
> bought myself X minutes of free hack-your-stuff time while you're gone.
> Isn't the point of timing me out that I have to prove I'm the right user
> before I can regain access to the site?
>

Rachel wrote:

For a web-based password-protected site with sensitive information, the
> user
> usually is logged out after a period of inactivity. Ideally, the user would
> be warned before the time-out,
> with an option to extend the time.
>

8 May 2009 - 2:53pm
R Sengers
2008

Does anyone have thoughts on doing a popup window (new browser window) vs.
an application-modal JavaScript dialog for the timeout message? (the message
warns user that session is about to time out, with option to extend the
session).

It's important (in this situation) that users see the message, so overlay
doesn't work well. Popup window looks friendlier than JavaScript dialog, but
may be blocked by popup blockers.

One option might be to show popup first, then if no response show the
JavaScript dialog right before the session expires.

9 May 2009 - 11:46am
DampeS8N
2008

You can't make people be secure. You can only help mitigate the
damages when their insecurity causes them. Invest time in dealing
with what will happen if the user leaves their laptop open to their
bank account at starbucks and then goes to the bathroom.

It is going to happen. So offer a way to make it unhappen. Which
might mean calling you with some non-computer controllable
information. Don't expose their credit card numbers in the app, why
would you need to? Don't give people who break in the ability to
steal the person's identity. They know who they are. That "Hi Mike
Wallace" doesn't need to be there. They may send off all the
user's money to some other bank account, and they may then change
the password so the user can't get back in. So you setup a hotline
the user can call and fix the problem.

In short. Make the app safer for the user if he is an idiot and lets
other people get in and make the actions taken reversible. Such as
putting a delay on transactions.

These are all just off the top of my head. My point is that this
concept of logging the user out automatically almost assuredly only
annoys people or gives them a false sense of security.

And it is a cheap hack way to avoid the harder job of making the
internals of the app less vulnerable.

Sooo... I guess my best practice is to not do it at all.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=41760

Syndicate content Get the feed