The purpose of this success criteria is to allow all users to successfully complete authenticated transactions that consists of a set time restriction for inactivity such as session expired/timed out or other situations that could result in a user being logged out while in the middle of completing the transaction.
Official Requirements
2.2.5 Re-authenticating: When an authenticated session expires, the user can continue the activity without loss of data after re-authenticating. (Level AAA)
Why is it required?
As a mandatory security protocol, many websites have implemented an authentication time limit after a certain period of inactivity on the page. Such time restrictions end up causing a lot of problems to people with disabilities as it may take more time for them to successfully complete the respective activity. In some cases, websites log a person out of a session if they log into the web page from a different computer or if any unusual activity arises that makes the site suspicious of the person’s identity (if the person is still the same legitimate account holder who signed in originally).
When people are logged out during the completion of a transaction, it is critical to provide them with a feature that will allow them to re-authenticate and continue with the transaction process without losing any of the data that has been entered before.
How do we fix it?
1. When a user is logged out of a session and is prompted to sign in again, the server should store the information in a temporary cache. Once it is re-authenticated, the data is made available from the temporary cache and the user can continue the transaction process as though they were never logged out.
2. In case the data cannot be stored in a temporary cache, another way would be to let the server process the information as “hidden data” into a re-authentication web page. Once the user signs in again, the data is passed from the re-authentication page to the current page.
Mistakes to avoid
Upon re-authentication, if the previously running state of the user’s transaction is not restored; which includes all the data that had been entered earlier into the form, she/he will have to start over the whole filling up process. And for users with certain physical or cognitive limitations, it is likely that the session will expire again before they finish filling up the form. This, in turn, gives rise to an uncomfortable situation where a user who requires extra time to complete the form would never successfully complete it.
Reference
