For banking sites, and other sites with secure transaction flows, it is standard practice to have the user’s web session timeout if they have been idle for some time. What is not standard is to apply this same type of logic to a user who has not even signed into the site.
After going to StarOne.org, and navigating away from the browser, I returned in about an hour. What I saw was surprising – the site had timed out even though I had never signed in. This is annoying and unnecessary.
Here’s the PG&E treatment for a web session time out:
What I don’t like is that this is being done in a layer and the main page is still visible behind the layer. The main reasons the site is doing a session timeout is for the user’s security and privacy. With this treatment, the privacy aspect is not protected at all. Any new user who shows up to the computer, can see what the previous user was doing behind the layer. In terms of security, while the layer may protect any new malicious users from going into the original user’s account, leaving behind access to the original user’s account number is a security hole.
A better way to do it is to paint a new “timeout” page:
Or in the case of Bank of America, paint an interstitial temporary “you are about to timeout” page. Then redirect the user to the home page.