Ok. Besides what people say things like "if the user spends more than 1 hour on the form there is something wrong with the form" or "if the user stays idle for that long, it's their problem, just throw them back to login page", we live in a real world with real people and time is money. Let's say you run an online store and the user has a put a $10,000 worth in their shopping cart, their phone rings and their girlfriend talks for 1 hour... Let's say your form is a textarea where the user decides to write their entire life... Let's say your app is a webmail. The email body is a form, right? We don't want the user to lose an email that they spent 2 hours writing to their loved ones or to an important customer, we save a draft! There are many different possibilities that would justify timer, storing data and pinging the server.
If you are on a time/money critical form page, do not hesitate to refresh the server and keep the session alive. Monitor a few events, like keypress, clicks etc. This will refresh the session in a legitimate way, as long as it gives a clue that the user is there.
- Use browser events to keep the session alive even before the form is submitted
- If the session is about to expire, save as a draft.
- If the session is expired, use a lightbox to get credentials again.