Re-authenticating
Success Criterion 2.2.5 (Level AAA)
Question
When a session times out and re-authentication is required, is previously entered form data retained so the user does not have to re-enter data?
Why is this important
Individuals with visual disabilities, dexterity impairments, and cognitive limitations may require more time to perform on-line functions like entering data into a web page or application. Some sites implement security measures that log the user out after a set amount of time of user inactivity. If a user is required to re-authenticate their session by logging in again, restoring previously entered data ensures users can resume where they left off in order to finish the activity.
Whom does it benefit?
Example:
As a person with a visual impairment who uses a screen reader, completing forms can be difficult
and time-consuming.
I want previously entered data to be restored if I am automatically timed out of a session,
so that I can log back in and continue to complete the form where I left off.
What should you do?
If a site or application uses time limits for security measures, ensure data entered by the user is saved prior to requiring re-authentication by the user. After re-authentication is successful, repopulate the data fields with previously entered data.
How do you do it?
- When a user is timed out of a session and is prompted to log in again, the server should store the data in a temporary cache. Once re-authenticated, the data is made available from the cache and the user may continue as if they were never logged out.
- If the data cannot be stored in a temporary cache, another option is to have the server pass the information as “hidden data” into a re-authentication page. Once the user logs in again, the data is passed from the re-authentication page to the current page.
Need technical guidance?
Additional Resources to help you:
- 2.2.5 - Re-authenticating - WUHCAG: Web Accessibility for Developers
- HTML CodeSniffer 2.2.5 Re-authenticating - HTML_CodeSniffer