Enhancing the user experience with the idle timer
Welcome to the first blog in the Site24x7 engineering blog series.
We're happy to share the experiments and methods our developers have successfully implemented to provide a better, safe, and interactive UI to our customers. Here's how the implementation of idle timer improved the user experience.
Say you're using Site24x7 for your monitoring needs: You'll be accessing various dashboards, debugging errors, or generating reports on a day-to-day basis in the Site24x7 web client. The Site24x7 web client auto-refreshes data every minute to ensure that the information displayed is up to date. A timer will be ticking at the backend to trigger the data refresh at stipulated intervals. But feedback from customers indicated that this was a stumbling block in performing activities without hindrance.
For instance, while scrolling through our Site24x7 web client or while editing some details, you might face a sudden interruption due to an auto-refresh, forcing you back to the top of the page before you can complete your changes. This is because the Site24x7 web client instantly reacts to alerts and will auto-refresh to show the updated data. This is exclusive of the live status updates. In an attempt to solve this, we've brought in a few changes to the web client to enhance usability.
Idle timer
We've implemented an idle timer to the web client to fix the auto-refresh interruption. Idle time is defined as the time when the user isn't interacting with a page or application even though they're logged in. Interaction in this context can vary from mouse movements, page clicks, or keyboard usage.
Events like auto-refreshing the page will be done during idle phases—when users aren't performing any actions. Admins can configure session timeouts to disconnect inactive or idle sessions and force users to reconnect. A well-controlled idle time or session timeout can ensure the security of web pages or applications from threats like session hijackings. The preferred time period for an idle timer is 2-5 minutes.
Why is the idle timer important?
Auto-refreshing a page in the middle of a session or forcefully logging out an idle user can affect the usability of a site. So why do applications and websites use idle timers? To ensure the security of their customers. With the cyber threats and attacks constantly evolving, ensuring a secure cyberspace for customers is a major concern for online platforms, especially when the information shared is confidential.
Imagine that you are in the middle of an important payment transaction, and then you leave your desk for a few minutes. You were in a hurry, so you forgot to log out of the site. This leaves an easy window for a malicious insider to sit down at your laptop and steal your session token, using which they can obtain credentials like usernames or passwords.
Cyberattacks like Odd Job Trojan, which happened in 2011, worked in a similar manner; it attacked Internet Explorer and Firefox and stole session identifiers of platforms like banking applications. In cases like these, an idle timeout can avoid threats like cookie theft. Some sites, including Site24x7, use auto-refreshing to update the latest information on the page or to avoid needless backend API calls.
Idle timer in banking platforms
Banking websites use idle timers to implement the auto log out feature when the user is inactive for a certain time. After a period of inactivity during an online banking session, you'll be logged out automatically. You might've experienced this if you've ever paused too long when completing a payment process.
The amount of time you can spend idle before you're logged out will depend on the site you are visiting, but the most common time limit used is six minutes. When you're not performing any action to initiate a conversation with the banking site for six minutes, it'll log you out. This is done as a security measure to protect the sensitive information that you might be sharing through the platform.
For instance, in the middle of a transaction with your bank, you get a call and end up leaving your desk with your systems still on. After being idle for a certain amount of time, the transaction session automatically logs you out. Now, even if a person tries to check your system for any easily obtainable sensitive information, they won't be able to access any of the confidential information that you were handling thanks to the bank's system automatically logging you out. But, one major drawback is that you'll need to log in again and reenter the information after being logged out.
Features of the idle timer in Site24x7
Taking user experience and security concerns into consideration, our implementation of the idle timer is different from that used in banking platforms. We'll provide ample time for the users to perform actions before a full page refresh or reload or any other action that may change the view. We recognize mouse click, key presses, and scrolling as user actions proving you're not idle; for each of these actions, 30 seconds will be assigned before an auto-refresh is carried out, ensuring users' efforts aren't wasted.
When any operation that can potentially disturb the view is scheduled during a time when a user is actively completing a task in Site24x7, that operation will be postponed until after the user completes their task. On the other hand, when certain status updates will change the data and not the view, the idle timer will be ignored. This way, we can ensure that the data is updated as soon as possible without impacting the user experience.
If you're a developer trying to improve the usability of your web client, try implementing an idle timer to ensure better experience for your users. We hope our experience will help you keep your customers happy.
Watch this space for more blogs on interesting technical topics and behind-the-scenes stories from our engineering team.