Bug 99: Session Timeout Without Warning (F7)

WCAG 2.2.1 (Timing Adjustable) | Session expires with no advance warning or way to extend time.

Failure F7: Silent Session Expiration

A banking app silently logs users out after 15 minutes of inactivity:

❌ BUGGY PATTERN


            // Server-side timeout, no warning

            const SESSION_TIMEOUT = 15 * 60; // 15 min

            // When time expires: redirect to login

            // User loses unsaved work!

Result: User filling out a form (takes 20 minutes). Session expires silently. Hits Submit and gets "Login expired" error. Form data lost.

Issue: No warning. No extension option. Accessible users (slow typists, cognitive disabilities) are most affected. Users lose work without notice.

Failure F7: Warning Too Late, No Extension Option

A government portal warns but provides no way to extend:

⚠️ PARTIAL WARNING (Still buggy)


            // 30 seconds before timeout, show dialog:

            "Your session will expire in 30 seconds."

            // Dialog has only one button: "OK"

            // Clicking OK does... nothing

Result: Dialog appears but offers no "Stay Logged In" button. Blind users can't find a way to extend. 30 seconds later: logged out anyway.

Issue: Warning is too short (30 sec). No extension mechanism. Screen reader users may not notice dialog. AT users (slow) need more time to respond.

Failure F7: No Accessibility Settings Available

A healthcare portal offers timeout settings but not for accessibility users:

Session timeout preference:

Click dropdown to adjust. (But what if you need 2 hours?)

Issue: Only preset values (5, 10, 30 min, never). Users with accessibility needs (slow typing, cognitive disability) may need 2+ hours. No custom timeout available. No way to extend existing session if you need more time mid-work.

Better Approach (For Reference)

Requirements for accessible timeouts:

At least 20 minutes default timeout (not 5-10 min)
Clear warning at least 60 seconds before timeout
"Stay Logged In" button in warning that user can easily find and click
Customizable timeout (allow 2+ hours if needed)
No timeout while user is inactive (only when away from keyboard)
Announce timeout via aria-live (not just visual dialog)
Remove expiration entirely if possible (only expire on close)

Example (Correct): "Your session will expire in 2 minutes. "

Real-World Impact

Users affected by timeout issues:

Motor disabilities: Slow to type/navigate (form takes 30 min)
Cognitive disabilities: Need time to process and respond to warnings
Blind/low vision: May miss visual timeout warning; only hear aria-live
Deaf: No audio cues; depend on visual warning (ensure text is clear)
Older adults: Slower navigation, may miss warning if too quick
International users: May need translation time; rushed timeout punitive

HAL Fixes: HAL detects session timeout code and ensures: (1) Warning shows at least 60+ seconds before expiration, (2) "Continue Session" button is easily accessible, (3) Timeout can be extended to custom durations, (4) aria-live announcements for timeout warning, (5) Option to disable timeout entirely if security allows.