As important as data security is, someone experiencing certain physical or cognitive limitations may run into trouble using an authenticated site. If they’re on a page with a timed session, they may be automatically logged off for security reasons before they are able to finish what they want to do.
For this reason, WCAG 2.2.5 dictates that anyone using an authenticated site be able to continue working after their session expires without losing any data.
Say someone is shopping online:
They go to check out, but while they are keying in their credit card information, their session expires. Following WCAG 2.2.5, this person should be able to finish filling in their credit card information, then sign in again when they finally opt to continue to the next screen.
Even though they completed the form after they were automatically signed out, the site has saved that information for them, pending re-authentication. Think of it as a kind of grace period.
For another common example, let’s turn to email. Imagine someone is drafting a message, when their email client warns them that their session is set to expire soon. Following this rule, the email client can provide the user with a link that opens a sign-in window in a separate tab. The user can then sign in again in the separate tab and finish writing and sending their email without losing any of their work.