(photo by FABIOLA MEDEIROS of flickr)

Jeff Atwood is frustrated with web sites that timeout a session and lose the data that was typed into a form. There is a huge comment thread discussing the various ways around this.  Most of them are overly complex and try to use tricks like refreshing the page using AJAX. The simple answer of course is, don't lose the user's work.

Some commenters say you should just lock your computer, but that obviously is not appropriate in all situations. Short session timeouts are not the right answer for all situations either. 

Sessions timeouts are necessary for security in some applications, most people know about online banking, and really any application that expects users from a shared computer. The developers and administrators of a site need to balance security and usability and decide on the right session timeout.

Another option is to keep user's session active for a long time, but ask for authentication on certain actions. Amazon.com is the best known example of this. It seems like you are logged in forever, but to buy someting you need to type in you password.

OpenACS supports timing out sessions, and setting different login requirements for various actions, allowing an authenticated user with a timed out session to normally read but not to perform actions such as adding new content. It also passes the submit information from a form along and redirects your right back to where you were after requiring a login after a session timeout.