I'm working on a web app that contains sensitive data akin to what you will find on tax forms - ex: SSNs, income, addresses, etc.
The people using this web app are financial aid administrators in universities/colleges throughout the U.S.A. The point is the student fills it out, the app is sent to the schools the student applied to, schools analyze the student's financial data, student is awarded need-based aid to go to school.
The timeout is currently set to 1 hour. If no activity is detected within 1 hour, the person is automatically logged out and any thing they were working on is lost. The way the web app works is it only saves a page if all fields are completed; in other words, if you only completed 4 out of the 10 required fields in a given page, you cannot save that page until you complete all 10 fields. So, if you leave the page without saving.. all your data is lost for that page. So, you can see how if you're half way through a difficult page, you look away for more than an hour to do something, you're work will be lost when you're auto logged out.
We want to implement a time out warning. Let's say 45 minutes in to the timer of no activity, the app shows a pop up warning about the impending log out and gives the option to reset the timer.
Is this the best and most elegant way to handle this? A pop up that shows xx minutes before the log out, warning the user and giving them a chance to continue? Other ideas?
Is it necessary we show in the pop up how long the user has until they are logged out?
What if the dev team says it's too expensive or requires too many hours to implement a time out warning. As a temporary solution, what should be done to warn of the time out? Post a static message in the head of the each page, explaining what will will happen after 1 hour of inactivity?
Are these the right questions to ask? Should I, instead, ask why the web app doesn't save data even on partly-completed pages? If it did, then it wouldn't be such a big deal if you're logged out and you just have to log back in and continue from exactly where you left off.
Any insights will be helpful. Thanks!
Answer
Mint.com has my favorite implementation of this; they tell you that for security reasons they're about to log you out due to inactivity (explaining the why is an important part here). Any activity on the user's part, even moving the mouse, extends your session. The pop up appears front and center of the monitor, not on a part of the page. Yes, it gets in the way briefly, but it's kind of important that it does.
In my opinion this is one of the best ways to handle it; I don't see why specific interactions like a button should be required at all; if they can interact with their PC, that should be enough to prove they're still there. Additionally Mint.com constantly updates your "expiration time" while you're using the site. If I'm actively using the site the whole time I shouldn't be nagged about inactivity at all, of course.
Is it necessary we show in the pop up how long the user has until they are logged out?
Why would you not? It's extremely uncool to press "okay" to extend your session to find TOO LATE-- you missed the deadline. Just show a simple countdown of the time remaining.
Post a static message in the head of the each page, explaining what will will happen after 1 hour of inactivity?
At the very least it should be front and center, on the page where the user is. Since it's only being shown after inactivity the "don't get in the user's way" issue is minor; after all, we want to get in their way. Losing your data is far more annoying than seeing a pop up that's trying to save all your work.
Should I, instead, ask why the web app doesn't save data even on partly-completed pages?
You should, but that's a separate issue. Whether or not it makes sense to save partial information (it often does) is a separate issue.
No comments:
Post a Comment