2.2.6 Timeouts
What it requires
Whenever inactivity can cause a user to lose data, you must warn them up front how long that inactivity period is — before they start the task. The only exception is when the data is preserved for more than 20 hours of inactivity.
The point is predictability: people who work slowly should never be surprised by a silent session timeout that wipes out a half-finished form, an unsaved cart, or partly entered application data. Telling them the limit in advance lets them plan, save their progress, or arrange the time they need.
- People with cognitive or learning disabilities who need extra time to read, decide, and enter information.
- People with motor disabilities who type or navigate slowly, or who use switch access and assistive input.
- Screen-reader and magnifier users, for whom completing a long form simply takes longer.
- Anyone interrupted mid-task who returns to find their data silently discarded.
How to detect it
| Check | How | What passes |
|---|---|---|
| Find data-loss timeouts | Inventory sessions, forms, carts, and authenticated flows; ask where idle time discards user input. | Each such timeout is identified. |
| Warning present | Read the page/flow before starting the task — manually. | The inactivity duration is stated to the user beforehand. |
| 20-hour exception | Confirm with engineering how long unsaved data survives inactivity. | Data preserved > 20 h needs no warning. |
| Assistive tech | Keyboard and screen-reader pass: is the warning reachable and announced? | Warning is perceivable to AT users. |
| Automated tools | axe and similar scanners. | Cannot detect this — manual review only. |
How to fix it
- Identify every timeout where inactivity can destroy user data.
- Where feasible, preserve the data for more than 20 hours so no warning is needed.
- Otherwise, state the inactivity limit in plain text before the user begins.
- Place the notice so keyboard and screen-reader users encounter it in reading order.
<p class="form-notice">
For your security, this session ends after
<strong>30 minutes</strong> of inactivity. Unsaved
changes will be lost, so save before stepping away.
</p>
Copy-paste tests
Automated coverage
There is no fully automated axe-core rule for 2.2.6 Timeouts — a tool cannot know your inactivity timeout or whether users are warned. This criterion needs manual review using the console check and steps below.
Run this in the browser console
// Read-only: surfaces likely data-loss timeout triggers for human review.
const suspects = [...document.querySelectorAll(
'[data-timeout],[data-session-timeout],meta[http-equiv="refresh"]'
)];
suspects.forEach(el => { el.style.outline = '2px solid red'; });
console.table(suspects.map(el => ({
tag: el.tagName,
timeout: el.getAttribute('data-timeout')
|| el.getAttribute('data-session-timeout')
|| el.getAttribute('content'),
text: (el.textContent || '').trim().slice(0, 60)
})));
console.log('Outlined %d possible timeout sources.', suspects.length);
What to check manually: Confirm any inactivity timeout warns users beforehand and lets them extend it, and verify unsaved data survives a timeout (or that the user is told it will be lost) — no script can confirm either.
Related
- WCAG 2.2 criteria index — all 87 success criteria.
- Learn catalog — lessons mapped to criteria.
- Accessible forms — where session and timeout warnings most often apply.