Re-authenticating
Success Criterion 2.2.5 (Level AAA)

Question

When a session times out and re-authentication is required, is previously entered form data retained so the user does not have to re-enter data?

Why is this important

Individuals with visual disabilities, dexterity impairments, and cognitive limitations may require more time to perform on-line functions like entering data into a web page or application. Some sites implement security measures that log the user out after a set amount of time of user inactivity. If a user is required to re-authenticate their session by logging in again, restoring previously entered data ensures users can resume where they left off in order to finish the activity.

Whom does it benefit?

Example 1:

As a person with a visual impairment who uses a screen reader, completing forms can be difficult and time consuming.
I want previously entered data to be restored if I am automatically timed out of a session,
so that I can log back in and continue to complete the form where I left off.

What should you do?

If a site or application uses time limits for security measures, ensure data entered by the user is saved prior to requiring re-authentication by the user. After re-authentication is successful, repopulate the data fields with previously entered data.

How do you do it?

  • When a user is timed out of a session and is prompted to log in again, the server should store the data in a temporary cache. Once re-authenticated, the data is made available from the cache and the user may continue as if they were never logged out.
  • If the data cannot be stored in a temporary cache, another option is to have the server pass the information as “hidden data” into a re-authentication page. Once the user logs in again, the data is passed from the re-authentication page to the current page.

Need technical guidance?

Additional Resources to help you: