PA-DSS standards require that users have to re-authenticate if their session has been idle for more than 15 minutes. AspDotNetStorefront enforces that requirement on all pages for logged-in users, and checkout pages for anonymous visitors. If a customer sits idle for too long on a page, they will be shown the following alert:
If the user does not click 'OK' within 1 minute, their session ends and the first notification is replaced with this one:
At that point, clicking 'OK' (or anything else on the page) will force the user to start their session over again. For customers who were logged in when their session expired, anything in their cart will have been saved, and they'll be sent back to the page they were last on when they log in again.
Configuration
Store administrators have control over these alerts as follows:
Visibility - Whether or not the alerts display at all. This is controlled by the SessionTimeoutWarning.Enabled Setting. Note that even if the alerts aren't displayed, the session timeouts are enforced. See 'Delay' below for more info.
Text - The content of the alerts can be changed by editing the SessionExpiring and SessionExpired topics. The button text comes from Prompts - sessiontimer.expiringbuttontext and sessiontimer.expiredbuttontext.
Delay - How long customers can sit idle before seeing these alerts can be controlled by changing the SessionTimeoutInMinutes Setting. Note that as of 9.5.1.0, there is a new Setting called AdminSessionTimeoutInMinutes, which controls how long admin users may remain idle before being logged out of the admin console.