Best Practices for Warning of Session Expiration
Our application has a 30 min auto-expiring session - the session is renewed on server communication.
What is the best way to communicate an expiring session to the user? My initial thought is a to display a modal warning shortly before expiration with "your session is about to expire [continue]" (better wording?) which allows the user to continue (communicating in the background to renew the session).
- Is it ever appropriate to display a session timer to the user?
- Is it ever appropriate to expire a session without the user having an opportunity to extend it?
- Do users need to be aware of when the session will expire as long as they will have the option to extend it?
I'm not sure about the best course of action but do take care to prevent data loss (when forms that can't be submitted because of session expiration and then are lost without warning.)
Toggle the CD/DVD drive open and closed with flashing lights and a klaxon alarm. "Danger Will Robinson, Danger!"
Sorry, I couldn't resist and I didn't have anything to add to Jan and Susan's excellent points. Please don't do this. ;)
Let me ask you, @Luke Charde: what is the *benefit* of session expiration? How much does it weight for you as a service provider? For the user? How (or how often / under what conditions) can you avoid incurring a cost on users for a benefit to you? Solve that first, and then think about how to implement session expiration *if you really need it*.
I believe that a session time out falls under the category of "timed responses". To meet accessibility then, the user should be given the chance to extend, or at the least, be notified it's occurring.
Notifying the user about the length of the session is not a requirement, though it should be determined on a "per application basis". For instance, if it's an application where the user is creating/modifying intricate data, or anything else complex/time consuming - offering them the chance to extend while they're rummaging through their notes could be an important "feature".
Thanks Susan, I had not thought about the accessibility angle - I'll have to research that further.
If a session does expire a user friendly web application could automatically save any unsaved data (in a form that wasn't posted yet for example) and restore it once the user restores their session. This can even be done on the client side with HTML 5 local storage: http://www.html5rocks.com/en/features/storage