is there a Best Practice or industry standard for the length of "time out" for web pages for Ecommerce businesses with website containing Personal Identity Information?

Question

is there a Best Practice or industry standard for the length of "time out" for web pages for Ecommerce businesses with website containing Personal Identity Information?

Answer 1

I think it's too dependent on the scope. A banking site is going to have a shorter timeout than a forum. 5 minutes is probably a good standard for important things, 20 minutes for less important things.

Answer 2

I would think during QA testing you would keep track of the average length of time it takes a user to do a task on the site. With this average in mind you would adjust accordingly and figure out the standard deviation, using that to make a good timeout time.

An example..

It takes a user an average of 5 minutes to perform a task. Let's say your SD is 2, so you'd have 5-2SD on the low end, so one minute, and 5+2SD on the high end, so that's 9 minutes. Take the high end and display a warning that the user is about to be logged off, then wait one minute and log them off automatically.