I don’t know if it’s a good idea for sites to do so, but I personally hate websites having some sort of timeout and then killing the session if they don’t detect activity. I never walk away from my system with it unlocked. Sometimes I need to do other things on another desktop, and I don’t want to be forced to manually click things to keep the session live. I will grant that probably, there are people who don’t do that, but this really is obnoxious.
Also, very short timeouts on 2FA systems that use stuff like email. I’ve had antispam systems greylist authentication emails and that create problems with sites that have short timeouts.
If your website is light-mode, also have a dark mode. And respect the user’s requested dark-mode setting from the browser via prefers-color-scheme. Don’t require them to use the site in some default mode to go through the login process and log in and explicitly set the thing in your internal account settings. That’s especially annoying for users who may have something like time-based modes on their system (I don’t, always want dark mode, but it’s extra obnoxious for them.)
I think that the entire “m.” convention for forcing use of a mobile site — Wikipedia being a prominent example of this practice — is a terrible idea. It means that mobile users inadvertently send links to desktop users that force a mobile-mode page, which is virtually never desirable for the desktop users. I don’t know what the state-of-the-art here is in web dev, but I am very certain that there are better options than that, because lots of sites manage to have a mobile site without doing this. If you want to have a way to force mobile or force desktop mode in your URL, fine. But for God’s sake, don’t make that the default. I have spent more time manually stripping “m.” off Wikipedia URLs on discussion sites so as not to inconvenience desktop users when I happen to be using mobile, or stripping it out of URLs from mobile users when I’m on a desktop…and yes, there are extensions to help with this, but it really shouldn’t be a problem in the first place, I think.
I like my browser’s back button to work. Some sites maintain session state that cause things to break when moving back to a prior page. Short of some obvious examples, where irrevocable changes to state have occurred (e.g. making a payment at a bank to someone) and it’s obviously not possible to back things out, I want to be able to use my browser’s features.
I agree with all of this but I’ll add that email and SMS-based 2FA needs to disappear. It’s not secure, it’s time-consuming and we should be using Passkeys by now.
I don’t know if it’s a good idea for sites to do so, but I personally hate websites having some sort of timeout and then killing the session if they don’t detect activity. I never walk away from my system with it unlocked. Sometimes I need to do other things on another desktop, and I don’t want to be forced to manually click things to keep the session live. I will grant that probably, there are people who don’t do that, but this really is obnoxious.
Also, very short timeouts on 2FA systems that use stuff like email. I’ve had antispam systems greylist authentication emails and that create problems with sites that have short timeouts.
If your website is light-mode, also have a dark mode. And respect the user’s requested dark-mode setting from the browser via prefers-color-scheme. Don’t require them to use the site in some default mode to go through the login process and log in and explicitly set the thing in your internal account settings. That’s especially annoying for users who may have something like time-based modes on their system (I don’t, always want dark mode, but it’s extra obnoxious for them.)
I think that the entire “m.” convention for forcing use of a mobile site — Wikipedia being a prominent example of this practice — is a terrible idea. It means that mobile users inadvertently send links to desktop users that force a mobile-mode page, which is virtually never desirable for the desktop users. I don’t know what the state-of-the-art here is in web dev, but I am very certain that there are better options than that, because lots of sites manage to have a mobile site without doing this. If you want to have a way to force mobile or force desktop mode in your URL, fine. But for God’s sake, don’t make that the default. I have spent more time manually stripping “m.” off Wikipedia URLs on discussion sites so as not to inconvenience desktop users when I happen to be using mobile, or stripping it out of URLs from mobile users when I’m on a desktop…and yes, there are extensions to help with this, but it really shouldn’t be a problem in the first place, I think.
I like my browser’s back button to work. Some sites maintain session state that cause things to break when moving back to a prior page. Short of some obvious examples, where irrevocable changes to state have occurred (e.g. making a payment at a bank to someone) and it’s obviously not possible to back things out, I want to be able to use my browser’s features.
prefers-color-schemecriminally underutilised , gotta agree there ‼️I agree with all of this but I’ll add that email and SMS-based 2FA needs to disappear. It’s not secure, it’s time-consuming and we should be using Passkeys by now.