From 31bba0460737d6a96e31102e7b1cebb3784405f7 Mon Sep 17 00:00:00 2001
From: haworku <haworku@users.noreply.github.com>
Date: Mon, 16 Sep 2024 13:08:49 -0500
Subject: [PATCH] MCR-3849 Fix session timeout (#2719)

* Bring back changes from PR #2159

* Cleanup modals
- inherit from base Modal
- create SessionTimeoutModal as own component
- simplify styles
- removing V2 naming from UnlockResubmitModal

* Add IdleTimer
- add  to package.json
- remove session timeout custom timekeeping, props from AuthContext
- add IdleTimer to AuthenticatedRouteWrapper
- start to add tests

* Get existing tests passing

* Add more mocked out tests

* Handle cases where timeout countdown and session duration are set to incompatible values

* Fix countdown

* Add cross-tab support

* Get s3Context to manually check auth if it fails and user logged out

* Fixup AuthneticatedRouteWrapper tests

* Write more unit tests, mock out more tests as well to write

* Get remaining AuthenticatedRouteWrapper tests passing

* Add back feature flag handling for showing the session expiration modal

* lint changed files

* Create ModalOpenButton and store activModalID in page context

* Get only one modal at a time behavior working

* Get only one modal at a time behavior working

* Add more async handling - try to address CI only unit test flakes

* Lint cleanup

* Get doubleclick bug addressed

* Code review comments and cleanup

* Refactor cognitoAuth to return Errors, unify logout handling for various cases

* make modal close more snappy

* cleanup

* Don't allow continue session if timer elapsed (but logout failed due to machine sleep

* Also update copy when session expired but modal still open
---
 .../feature-brief-session-expiration.md       |  12 +-
 docs/technical-design/tealium-logging.md      |   8 +-
 pnpm-lock.yaml                                |  14 +
 services/app-web/package.json                 |   1 +
 .../src/components/Header/Header.test.tsx     |  61 ----
 .../app-web/src/components/Header/Header.tsx  |  17 +-
 .../src/components/Modal/Modal.module.scss    |  14 +
 .../src/components/Modal/Modal.test.tsx       |  28 +-
 .../app-web/src/components/Modal/Modal.tsx    |  29 +-
 .../ModalOpenButton/ModalOpenButton.test.tsx  |  19 ++
 .../Modal/ModalOpenButton/ModalOpenButton.tsx |  51 ++++
 .../components/Modal/SessionTimeoutModal.tsx  |  67 +++++
 .../Modal/UnlockSubmitModal.module.scss       |  18 --
 .../Modal/UnlockSubmitModal.test.tsx          |   2 +-
 ...ubmitModalV2.tsx => UnlockSubmitModal.tsx} |  16 +-
 .../app-web/src/components/Modal/index.ts     |   3 +-
 .../UnlockRateButton.tsx                      |   2 +-
 services/app-web/src/contexts/AuthContext.tsx | 269 ++++++++----------
 services/app-web/src/contexts/PageContext.tsx |  25 +-
 services/app-web/src/contexts/S3Context.tsx   |  15 +-
 services/app-web/src/localAuth/LocalLogin.tsx |  28 +-
 services/app-web/src/pages/App/App.tsx        |   4 +-
 .../app-web/src/pages/App/AppRoutes.test.tsx  |   6 +-
 services/app-web/src/pages/App/AppRoutes.tsx  |  30 +-
 services/app-web/src/pages/Auth/Auth.test.tsx |  32 ++-
 .../app-web/src/pages/Auth/Login.test.tsx     |   4 +-
 services/app-web/src/pages/Auth/Login.tsx     |  56 ++--
 services/app-web/src/pages/Auth/Signup.tsx    |  32 +--
 .../app-web/src/pages/Auth/cognitoAuth.ts     | 153 +++++-----
 .../src/pages/Landing/Landing.test.tsx        |  28 +-
 .../app-web/src/pages/Landing/Landing.tsx     |   7 +
 .../V2/ReviewSubmit/ReviewSubmitV2.tsx        |  22 +-
 .../SubmissionSummary/SubmissionSummary.tsx   |  11 +-
 .../AuthenticatedRouteWrapper.test.tsx        | 236 +++++++++++----
 .../Wrapper/AuthenticatedRouteWrapper.tsx     | 181 ++++++------
 35 files changed, 837 insertions(+), 664 deletions(-)
 create mode 100644 services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.test.tsx
 create mode 100644 services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.tsx
 create mode 100644 services/app-web/src/components/Modal/SessionTimeoutModal.tsx
 delete mode 100644 services/app-web/src/components/Modal/UnlockSubmitModal.module.scss
 rename services/app-web/src/components/Modal/{V2/UnlockSubmitModalV2.tsx => UnlockSubmitModal.tsx} (96%)

diff --git a/docs/technical-design/feature-brief-session-expiration.md b/docs/technical-design/feature-brief-session-expiration.md
index f497fdaafc..1bb6678445 100644
--- a/docs/technical-design/feature-brief-session-expiration.md
+++ b/docs/technical-design/feature-brief-session-expiration.md
@@ -2,9 +2,9 @@
 
 ## Introduction
 
-We use a third-party authentication provider ([IDM](https://confluenceent.cms.gov/display/IDM/IDM+Trainings+and+Guides)) which automatically logs out sessions due to inactivity after about 30 minutes. We don't have direct access to their timekeeping, but we know this is about how long they allow a session to be inactive. Thus, we manually track sessions internally for the same time period.
+We use a third-party authentication provider ([IDM](https://confluenceent.cms.gov/display/IDM/IDM+Trainings+and+Guides)) which automatically logs out sessions due to inactivity after about 30 minutes. Although MC-Review user sessions are handled by AWS Amplify/Cognito after login, we follow the same rules. We currently don't access Cognito to check if our session is active. Instead, we manually track sessions internally in state via [`react-idle-timer`](https://idletimer.dev/). This also allows us to follow the CMS Acceptable Risk Safeguards(ARS) controls `AC-11 Idle Session Timeout` and `AC-12(03) Timeout Warning Message`.
 
-Importantly this featured is permanently feature-flagged since we have different requirements between production/staging and lower environments. More details about feature flags [below](#implementation-details).
+The session timeout duration is also permanently feature-flagged since we have different requirements between production/staging and lower environments. More details about feature flags [below](#implementation-details).
 
 ## Expected behavior
  Two minutes before the session will expire due to inactivity we show a warning modal. The modal displays a live countdown and has CTA buttons with 1. the ability to log out immediately 2. the ability to extend the session. This helps us fulfill accessibility requirements around [WCAG 2.2.1 Timing Adjustable](https://www.w3.org/WAI/WCAG21/Understanding/timing-adjustable.html).
@@ -14,7 +14,7 @@ Importantly this featured is permanently feature-flagged since we have different
 ### Possible outcomes after the session expiration modal is displayed:
 1. If the user chooses to logout, we redirect to landing page.
 2. If the user extends the session, we refresh their tokens and restart our counter for the session.
-3. If the user takes no action and the browser is still active, the 2 minute countdown will complete and the user will be automatically logged out and a error banner will appear on the landing page notifying them what happened.
+3. If the user takes no action and the browser is still active, the countdown completes and the user is automatically logged out and redirected to landing page. A session expired banner notifies them what happened.
 
 ![session expired banner - relevant for outcome 3](../../.images/session-expired-banner.png)
 
@@ -24,7 +24,7 @@ This auto logout behavior will happen even if the browser tab is in the backgrou
 These are edge cases we decided not to address. Documenting for visibility.
 
 - The user puts computer to sleep while logged in (before session expiration modal is visible) and comes back after the session has expired.
-    - In this case, the session expiration modal will not display. The user will still  appear to be logged in when they relaunch their computer. However, as soon as the user takes an action that hits the API and we get a 403, we will follow the code path for outcome #3 above - automatically log the user and show the session expired error banner.
+    - In this case, the session expiration modal will not display. The user will still appear logged in when they relaunch their computer and browser. However, as soon as the user takes an action that hits the graphql API or tries to upload a file to S3, we will follow the code path for outcome #3 above - logout the user, redirect to landing page, show session expired error banner.
 - The user has MC-Review open in multiple tabs and then logs out of only one tab manually before session expiration.
     - This is not an ideal user experience. This is why we recommend users navigate the application in one tab at time. If the user logs out then goes to another tab that is still open and starts using the application, they will be able to make some requests with the cached user but at a certain point the requests will error (this may or may not be auth errors, sometimes the API may fail first with 400s and thus the generic failed request banner will show)
 
@@ -35,7 +35,3 @@ These are edge cases we decided not to address. Documenting for visibility.
 - Primary logic for the feature is found in `AuthContext.tsx`
     - `MODAL_COUNTDOWN_DURATION` is the hard-coded constant that holds the amount of time the modal will be visible prior to logout for inactivity. It is set to 2 minutes.
     - use of `session-timeout`query param to ensure error banner displays
-    - `sessionExpirationTime` is the date and time at which the session will expire and `updateSessionExpirationTime` is the method to extend the session when the user is active
-    - `setLogoutCountdownDuration` used to decrement the countdown duration for display in the modal
-    - `sessionIsExpiring` boolean tracks whether we're inside the countdown duration (if true, modal is visible) this is updated with `updateSessionExpirationState`
-    - `checkIfSessionsIsAboutToExpire` check current session time on an interval in the background. It determines if it is time to show modal
diff --git a/docs/technical-design/tealium-logging.md b/docs/technical-design/tealium-logging.md
index e4fa1f20fc..11df25e507 100644
--- a/docs/technical-design/tealium-logging.md
+++ b/docs/technical-design/tealium-logging.md
@@ -1,6 +1,6 @@
 # Tealium Logging
 ## Background
-We use a tool called Tealium to hook into the CMS customer analytics tools. The data is then sent to Adobe Analytics (previously CMS used Google Analytics). Access to analytics tools is set up through another team, Blast Analytics. They are contractors with a focus on analytics and work across all CMS domains. 
+We use a tool called Tealium to hook into the CMS customer analytics tools. The data is then sent to Adobe Analytics (previously CMS used Google Analytics). Access to analytics tools is set up through another team, Blast Analytics. They are contractors with a focus on analytics and work across all CMS domains.
 
 ## Implementation
 
@@ -27,7 +27,7 @@ The `useTealium` hook utilizes tealium client functions in the Context to provid
 There are wrapper functions in this hook for specific user event types to constrain the event and parameter values before passing it to `logUserEvent`. This allows type safety and a reference to what event and parameter values the event accepts.
 
 ```typescript
-const context = React.useContext(TealiumContext) 
+const context = React.useContext(TealiumContext)
 
 ...
 
@@ -47,11 +47,11 @@ const logButtonEvent = (
 ```
 These `useTealium` functions are then used in components like `Button` and `Link` to log when they are clicked. Since most of these components are configured and used similarly, wrapper components were made with built-in logging to replace the default components for easy implementation of logging. They can be found in `components/TealiumLogging`.
 
-Not all components are wrapped like this. Some, like `ModalToggleButton` are rarely used, so in those cases we can directly use `logButtonEvent` in the `onClick` prop.
+Not all components are wrapped like this, it is still possible to directly use tealium actions.
 
 ### Adding user event types
 
-To add a new user event type: 
+To add a new user event type:
 - Define a type for the event parameter values for the event type. You can find all the data fields for a given event in the [Tagging Strategy](https://confluence.cms.gov/pages/viewpage.action?spaceKey=BLSTANALYT&title=mc-review.onemac.cms.gov+-+Tagging+Strategy) doc on confluence.
 - Then we add that type to `TealiumEventObjectTypes`.
 ```typescript
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 47b64c1a63..b5162b3e47 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -481,6 +481,9 @@ importers:
       react-error-boundary:
         specifier: ^4.0.10
         version: 4.0.13(react@18.3.1)
+      react-idle-timer:
+        specifier: ^5.7.2
+        version: 5.7.2(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       react-router:
         specifier: ^6.23.1
         version: 6.23.1(react@18.3.1)
@@ -11148,6 +11151,12 @@ packages:
   react-fast-compare@2.0.4:
     resolution: {integrity: sha512-suNP+J1VU1MWFKcyt7RtjiSWUjvidmQSlqu+eHslq+342xCbGTYmC0mEhPCOHxlW0CywylOC1u2DFAT+bv4dBw==}
 
+  react-idle-timer@5.7.2:
+    resolution: {integrity: sha512-+BaPfc7XEUU5JFkwZCx6fO1bLVK+RBlFH+iY4X34urvIzZiZINP6v2orePx3E6pAztJGE7t4DzvL7if2SL/0GQ==}
+    peerDependencies:
+      react: '>=16'
+      react-dom: '>=16'
+
   react-is@16.13.1:
     resolution: {integrity: sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==}
 
@@ -28641,6 +28650,11 @@ snapshots:
 
   react-fast-compare@2.0.4: {}
 
+  react-idle-timer@5.7.2(react-dom@18.3.1(react@18.3.1))(react@18.3.1):
+    dependencies:
+      react: 18.3.1
+      react-dom: 18.3.1(react@18.3.1)
+
   react-is@16.13.1: {}
 
   react-is@17.0.2: {}
diff --git a/services/app-web/package.json b/services/app-web/package.json
index 42cde0ef6e..2eb2786bd1 100644
--- a/services/app-web/package.json
+++ b/services/app-web/package.json
@@ -112,6 +112,7 @@
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
         "react-error-boundary": "^4.0.10",
+        "react-idle-timer": "^5.7.2",
         "react-router": "^6.23.1",
         "react-router-dom": "^6.23.1",
         "react-select": "^5.7.7",
diff --git a/services/app-web/src/components/Header/Header.test.tsx b/services/app-web/src/components/Header/Header.test.tsx
index ce26e22d03..e0f5988030 100644
--- a/services/app-web/src/components/Header/Header.test.tsx
+++ b/services/app-web/src/components/Header/Header.test.tsx
@@ -167,67 +167,6 @@ describe('Header', () => {
 
             await waitFor(() => expect(spy).toHaveBeenCalledTimes(1))
         })
-
-        it('calls setAlert when logout is unsuccessful', async () => {
-            const spy = vi
-                .spyOn(CognitoAuthApi, 'signOut')
-                .mockRejectedValue('This logout failed!')
-            const mockAlert = vi.fn()
-
-            const { user } = renderWithProviders(
-                <Header authMode={'AWS_COGNITO'} setAlert={mockAlert} />,
-                {
-                    apolloProvider: {
-                        mocks: [
-                            fetchCurrentUserMock({ statusCode: 200 }),
-                            fetchCurrentUserMock({ statusCode: 403 }),
-                        ],
-                    },
-                }
-            )
-
-            await waitFor(() => {
-                const yourAccountButton = screen.getByRole('button', {
-                    name: 'Your account',
-                })
-                expect(yourAccountButton).toBeInTheDocument()
-                void user.click(yourAccountButton)
-            })
-
-            await waitFor(() => {
-                const signOutButton = screen.getByRole('button', {
-                    name: 'Sign out',
-                })
-                expect(signOutButton).toBeInTheDocument()
-                void user.click(signOutButton)
-            })
-
-            await waitFor(() => expect(spy).toHaveBeenCalledTimes(1))
-            await waitFor(() => expect(mockAlert).toHaveBeenCalled())
-        })
-
-        it('does not render MC-review settings link for State users', async () => {
-            renderWithProviders(<Header authMode={'AWS_COGNITO'} />, {
-                apolloProvider: {
-                    mocks: [
-                        fetchCurrentUserMock({
-                            statusCode: 200,
-                        }),
-                    ],
-                },
-            })
-
-            await waitFor(() => {
-                const yourAccountButton = screen.getByRole('button', {
-                    name: 'Your account',
-                })
-                expect(yourAccountButton).toBeInTheDocument()
-            })
-
-            expect(
-                screen.queryByRole('link', { name: 'MC-Review settings' })
-            ).toBeNull()
-        })
     })
 })
 
diff --git a/services/app-web/src/components/Header/Header.tsx b/services/app-web/src/components/Header/Header.tsx
index 21dac32cca..f62a3ccede 100644
--- a/services/app-web/src/components/Header/Header.tsx
+++ b/services/app-web/src/components/Header/Header.tsx
@@ -9,8 +9,6 @@ import { Logo } from '../Logo'
 import styles from './Header.module.scss'
 import { PageHeadingRow } from './PageHeadingRow/PageHeadingRow'
 import { UserLoginInfo } from './UserLoginInfo/UserLoginInfo'
-import { recordJSException } from '../../otelHelpers'
-import { ErrorAlertSignIn } from '../ErrorAlert'
 
 export type HeaderProps = {
     authMode: AuthModeType
@@ -34,18 +32,9 @@ export const Header = ({
     const { heading } = usePage()
     const { currentRoute: route } = useCurrentRoute()
 
-    const handleLogout = (
-        e: React.MouseEvent<HTMLButtonElement, MouseEvent>
-    ) => {
-        if (!logout) {
-            console.info('Something went wrong ', e)
-            return
-        }
-
-        logout({ sessionTimeout: false }).catch((e) => {
-            recordJSException(`Error with logout: ${e}`)
-            setAlert && setAlert(<ErrorAlertSignIn />)
-        })
+    const handleLogout = async () => {
+        await logout({type: 'ERROR'})
+        // no need to handle errors, logout will handle
     }
 
     return route !== 'GRAPHQL_EXPLORER' ? (
diff --git a/services/app-web/src/components/Modal/Modal.module.scss b/services/app-web/src/components/Modal/Modal.module.scss
index 622e5b871b..e2c34833d7 100644
--- a/services/app-web/src/components/Modal/Modal.module.scss
+++ b/services/app-web/src/components/Modal/Modal.module.scss
@@ -8,4 +8,18 @@
             margin: 0;
         }
     }
+
+    textarea {
+        max-width: 100%;
+        margin-bottom: 1rem;
+    }
+
 }
+
+.submitSuccessButton {
+    background: custom.$mcr-success-base;
+    &:hover {
+        background-color: custom.$mcr-success-hover !important;
+    }
+}
+
diff --git a/services/app-web/src/components/Modal/Modal.test.tsx b/services/app-web/src/components/Modal/Modal.test.tsx
index 8693f39897..cee0f399ca 100644
--- a/services/app-web/src/components/Modal/Modal.test.tsx
+++ b/services/app-web/src/components/Modal/Modal.test.tsx
@@ -6,6 +6,7 @@ import {
     userClickByTestId,
     renderWithProviders,
 } from '../../testHelpers/jestHelpers'
+import { ModalOpenButton } from './ModalOpenButton/ModalOpenButton'
 
 describe('Modal', () => {
     it('Renders element by default with modal hidden', () => {
@@ -199,13 +200,12 @@ describe('Modal', () => {
                     >
                         <textarea data-testid="modal-children" />
                     </Modal>
-                    <ModalToggleButton
+                    <ModalOpenButton
                         modalRef={modalRef}
-                        data-testid="opener-button"
-                        opener
+                        id="opener-button"
                     >
                         Open modal
-                    </ModalToggleButton>
+                    </ModalOpenButton>
                 </div>
             )
             await userClickByTestId(screen, 'opener-button')
@@ -225,13 +225,13 @@ describe('Modal', () => {
                     >
                         <textarea data-testid="modal-children" />
                     </Modal>
-                    <ModalToggleButton
+                    <ModalOpenButton
                         modalRef={modalRef}
-                        data-testid="opener-button"
+                        id="opener-button"
                         opener
                     >
                         Open modal
-                    </ModalToggleButton>
+                    </ModalOpenButton>
                 </div>
             )
 
@@ -255,13 +255,12 @@ describe('Modal', () => {
                     >
                         <textarea data-testid="modal-children" />
                     </Modal>
-                    <ModalToggleButton
+                    <ModalOpenButton
                         modalRef={modalRef}
-                        data-testid="opener-button"
-                        opener
+                        id="opener-button"
                     >
                         Open modal
-                    </ModalToggleButton>
+                    </ModalOpenButton>
                 </div>
             )
             await userClickByTestId(screen, 'opener-button')
@@ -292,13 +291,12 @@ describe('Modal', () => {
                     >
                         <textarea data-testid="modal-children" />
                     </Modal>
-                    <ModalToggleButton
+                    <ModalOpenButton
                         modalRef={modalRef}
-                        data-testid="opener-button"
-                        opener
+                        id="opener-button"
                     >
                         Open modal
-                    </ModalToggleButton>
+                    </ModalOpenButton>
                 </div>
             )
 
diff --git a/services/app-web/src/components/Modal/Modal.tsx b/services/app-web/src/components/Modal/Modal.tsx
index 9fde5a5bae..4fd2004a56 100644
--- a/services/app-web/src/components/Modal/Modal.tsx
+++ b/services/app-web/src/components/Modal/Modal.tsx
@@ -1,4 +1,4 @@
-import React, { useEffect } from 'react'
+import React, {useEffect} from 'react'
 import {
     ButtonGroup,
     Modal as UswdsModal,
@@ -14,8 +14,8 @@ import {
 import styles from './Modal.module.scss'
 
 import { ActionButton } from '../ActionButton'
-import { useAuth } from '../../contexts/AuthContext'
 import { ButtonWithLogging } from '../TealiumLogging'
+import { usePage } from '../../contexts/PageContext'
 
 interface ModalComponentProps {
     id: string
@@ -48,23 +48,26 @@ export const Modal = ({
     modalAlert,
     ...divProps
 }: ModalProps): React.ReactElement => {
-    const { sessionIsExpiring } = useAuth()
-
-    /* unless it's the session expiring modal, close it if the session is expiring, so the user can interact
-    with the session expiring modal */
-    useEffect(() => {
-        if (id !== 'extend-session-modal' && sessionIsExpiring) {
-            modalRef.current?.toggleModal(undefined, false)
-        }
-    }, [sessionIsExpiring, modalRef, id])
-
+    const {updateModalRef} = usePage()
     const cancelHandler = (e: React.MouseEvent): void => {
         if (onCancel) {
             onCancel()
         }
+        updateModalRef({updatedModalRef: undefined})
         modalRef.current?.toggleModal(undefined, false)
     }
 
+    const submitHandler = (e: React.MouseEvent): void => {
+        if (onSubmit) {
+            onSubmit()
+        }
+        updateModalRef({updatedModalRef: undefined})
+        // do not close modal here manually
+        // sometimes validation fails and we want to keep modal open but display errors
+        // consumer should determine wether or not to close modal in onSubmit
+
+    }
+
     return (
         <UswdsModal
             aria-labelledby={`${id}-heading`}
@@ -108,7 +111,7 @@ export const Modal = ({
                         variant="success"
                         id={`${id}-submit`}
                         parent_component_type="modal"
-                        onClick={onSubmit}
+                        onClick={submitHandler}
                         loading={isSubmitting}
                         {...submitButtonProps}
                     >
diff --git a/services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.test.tsx b/services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.test.tsx
new file mode 100644
index 0000000000..4a280db9ad
--- /dev/null
+++ b/services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.test.tsx
@@ -0,0 +1,19 @@
+import { screen} from '@testing-library/react'
+import { renderWithProviders } from '../../../testHelpers'
+import { ModalOpenButton } from './ModalOpenButton'
+import { createRef} from 'react'
+import { type ModalRef } from '@trussworks/react-uswds'
+
+describe('ModalOpenButton', () => {
+    it('renders without errors', () => {
+        const testRef =   createRef<ModalRef>()
+        renderWithProviders(
+            <ModalOpenButton id='123' modalRef={testRef}>submit 123</ModalOpenButton>
+        )
+        expect(
+            screen.getByRole('button', {
+                name: 'submit 123',
+            })
+        ).toBeInTheDocument()
+    })
+})
diff --git a/services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.tsx b/services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.tsx
new file mode 100644
index 0000000000..07c93696a7
--- /dev/null
+++ b/services/app-web/src/components/Modal/ModalOpenButton/ModalOpenButton.tsx
@@ -0,0 +1,51 @@
+import React, {ComponentProps} from 'react'
+import {
+    ModalToggleButton as UswdsModalToggleButton,
+    type ModalRef,
+} from '@trussworks/react-uswds'
+import { useTealium } from '../../../hooks'
+import { usePage } from '../../../contexts/PageContext'
+import { extractText } from '../../TealiumLogging/tealiamLoggingHelpers'
+
+type ModalOpenButtonProps = {
+    id: string,
+    modalRef: React.RefObject<ModalRef>,
+    children: React.ReactNode
+} & ComponentProps<typeof UswdsModalToggleButton>
+
+export const ModalOpenButton = ({
+    modalRef,
+    id,
+    children,
+    ...restProps
+}: ModalOpenButtonProps): React.ReactElement => {
+    const { logButtonEvent } = useTealium()
+    const {activeModalRef, updateModalRef} = usePage()
+   const handleOnClick = () => {
+
+    // Make sure our global state tracks what modal is now open
+    if(activeModalRef !== modalRef) {
+        updateModalRef({updatedModalRef: modalRef})
+    }
+
+
+        logButtonEvent({
+            text: extractText(children),
+            button_type: 'button',
+            button_style: 'success',
+            parent_component_type: 'page body',
+        })
+   }
+    return (
+        <UswdsModalToggleButton
+        {...restProps}
+        modalRef={modalRef}
+        data-testid={id}
+        id={id}
+        onClick={handleOnClick}
+        opener
+    >
+        {children}
+    </UswdsModalToggleButton>
+    )
+}
diff --git a/services/app-web/src/components/Modal/SessionTimeoutModal.tsx b/services/app-web/src/components/Modal/SessionTimeoutModal.tsx
new file mode 100644
index 0000000000..a7feb032dc
--- /dev/null
+++ b/services/app-web/src/components/Modal/SessionTimeoutModal.tsx
@@ -0,0 +1,67 @@
+import React, {useEffect, useState} from 'react'
+import { ModalRef } from '@trussworks/react-uswds'
+import { Modal } from './Modal'
+import styles from './Modal.module.scss'
+import { useIdleTimerContext } from 'react-idle-timer'
+import dayjs from 'dayjs'
+import { SESSION_ACTIONS } from '../../pages/Wrapper/AuthenticatedRouteWrapper'
+
+type SessionTimeoutModalProps = {
+    modalRef: React.RefObject<ModalRef>
+}
+
+export const SessionTimeoutModal = ({
+  modalRef,
+}: SessionTimeoutModalProps): React.ReactElement | null => {
+    const idleTimer = useIdleTimerContext()
+    const [countdownSeconds, setCountdownSeconds]= useState(idleTimer.getRemainingTime() / 1000)
+
+    const handleLogoutSession = async () => {
+        idleTimer.message({action: SESSION_ACTIONS.LOGOUT_SESSION}, true)
+    }
+    const handleContinueSession = async () => {
+        idleTimer.activate()
+        idleTimer.message({action:SESSION_ACTIONS.CONTINUE_SESSION}, true)
+    }
+    useEffect(() => {
+        const interval = setInterval(() => {
+          setCountdownSeconds(Math.ceil(idleTimer.getRemainingTime() / 1000))
+        }, 500)
+
+        return () => {
+          clearInterval(interval)
+        }
+      })
+
+    const countdownElapsed = countdownSeconds == 0
+    return (
+        <Modal
+        modalRef={modalRef}
+        id="extend-session-modal"
+        modalHeading="Session Expiring"
+        onSubmitText="Continue Session"
+        onCancelText="Logout"
+        onCancel={handleLogoutSession}
+        submitButtonProps={{ className: styles.submitSuccessButton, disabled: countdownElapsed}}
+        onSubmit={handleContinueSession}
+        forceAction={true}
+    >
+        <p
+            aria-live={'assertive'}
+            aria-atomic={true}
+        >
+            Your session is going to expire in&nbsp;
+            <span data-testid="remaining">{dayjs
+                .duration(countdownSeconds, 'seconds')
+                .format('mm:ss')}</span>
+        </p>
+        <p>
+        {countdownElapsed ? 'Your session is now expired.' : 'If you would like to extend your session, click the Continue Session button.'}
+        </p>
+        <p>
+            If you would like to end your session now, click the
+            Logout button.
+        </p>
+    </Modal>
+    )
+}
diff --git a/services/app-web/src/components/Modal/UnlockSubmitModal.module.scss b/services/app-web/src/components/Modal/UnlockSubmitModal.module.scss
deleted file mode 100644
index 6cb877323f..0000000000
--- a/services/app-web/src/components/Modal/UnlockSubmitModal.module.scss
+++ /dev/null
@@ -1,18 +0,0 @@
-@use '../../styles/custom.scss' as custom;
-@use '../../styles/uswdsImports.scss' as uswds;
-
-.reviewSectionWrapper {
-    max-width: custom.$mcr-container-standard-width-fixed;
-}
-
-.submitButton {
-    background: custom.$mcr-success-base;
-    &:hover {
-        background-color: custom.$mcr-success-hover !important;
-    }
-}
-
-.modalInputTextarea {
-    max-width: 100%;
-    margin-bottom: 1rem;
-}
diff --git a/services/app-web/src/components/Modal/UnlockSubmitModal.test.tsx b/services/app-web/src/components/Modal/UnlockSubmitModal.test.tsx
index 45a9cb38a0..942047f177 100644
--- a/services/app-web/src/components/Modal/UnlockSubmitModal.test.tsx
+++ b/services/app-web/src/components/Modal/UnlockSubmitModal.test.tsx
@@ -8,7 +8,7 @@ import {
     mockContractPackageSubmitted,
     unlockHealthPlanPackageMockError,
 } from '../../testHelpers/apolloMocks'
-import { UnlockSubmitModal } from './V2/UnlockSubmitModalV2'
+import { UnlockSubmitModal } from './UnlockSubmitModal'
 import { renderWithProviders } from '../../testHelpers/jestHelpers'
 import { Location } from 'react-router-dom'
 import {
diff --git a/services/app-web/src/components/Modal/V2/UnlockSubmitModalV2.tsx b/services/app-web/src/components/Modal/UnlockSubmitModal.tsx
similarity index 96%
rename from services/app-web/src/components/Modal/V2/UnlockSubmitModalV2.tsx
rename to services/app-web/src/components/Modal/UnlockSubmitModal.tsx
index d9579f58fa..76cbf4ab5d 100644
--- a/services/app-web/src/components/Modal/V2/UnlockSubmitModalV2.tsx
+++ b/services/app-web/src/components/Modal/UnlockSubmitModal.tsx
@@ -8,19 +8,18 @@ import {
     useUnlockContractMutation,
     FetchHealthPlanPackageWithQuestionsDocument,
     FetchContractDocument,
-} from '../../../gen/gqlClient'
+} from '../../gen/gqlClient'
 import { useFormik } from 'formik'
-import { usePrevious } from '../../../hooks/usePrevious'
-import { Modal } from '../Modal'
-import { PoliteErrorMessage } from '../../PoliteErrorMessage'
+import { usePrevious } from '../../hooks/usePrevious'
+import { Modal } from './Modal'
+import { PoliteErrorMessage } from '../PoliteErrorMessage'
 import * as Yup from 'yup'
-import styles from '../UnlockSubmitModal.module.scss'
-import { GenericApiErrorProps } from '../../Banner/GenericApiErrorBanner/GenericApiErrorBanner'
-import { ERROR_MESSAGES } from '../../../constants/errors'
+import { GenericApiErrorProps } from '../Banner/GenericApiErrorBanner/GenericApiErrorBanner'
+import { ERROR_MESSAGES } from '../../constants/errors'
 import {
     submitMutationWrapperV2,
     unlockMutationWrapperV2,
-} from '../../../gqlHelpers/mutationWrappersForUserFriendlyErrors'
+} from '../../gqlHelpers/mutationWrappersForUserFriendlyErrors'
 
 const RATE_UNLOCK_SUBMIT_TYPES = [
     'SUBMIT_RATE',
@@ -338,7 +337,6 @@ export const UnlockSubmitModal = ({
                             name="unlockSubmitModalInput"
                             data-testid="unlockSubmitModalInput"
                             aria-labelledby="unlock-submit-modal-input-hint"
-                            className={styles.modalInputTextarea}
                             aria-required
                             error={!!formik.errors.unlockSubmitModalInput}
                             onChange={formik.handleChange}
diff --git a/services/app-web/src/components/Modal/index.ts b/services/app-web/src/components/Modal/index.ts
index c29ca56a86..abacd47183 100644
--- a/services/app-web/src/components/Modal/index.ts
+++ b/services/app-web/src/components/Modal/index.ts
@@ -1,2 +1,3 @@
 export { Modal } from './Modal'
-export {UnlockSubmitModal} from './V2/UnlockSubmitModalV2'
+export {UnlockSubmitModal} from './UnlockSubmitModal'
+export {ModalOpenButton} from './ModalOpenButton/ModalOpenButton'
\ No newline at end of file
diff --git a/services/app-web/src/components/SubmissionSummarySection/RateDetailsSummarySection/UnlockRateButton.tsx b/services/app-web/src/components/SubmissionSummarySection/RateDetailsSummarySection/UnlockRateButton.tsx
index c8980e2600..4c050c6196 100644
--- a/services/app-web/src/components/SubmissionSummarySection/RateDetailsSummarySection/UnlockRateButton.tsx
+++ b/services/app-web/src/components/SubmissionSummarySection/RateDetailsSummarySection/UnlockRateButton.tsx
@@ -1,7 +1,7 @@
 import { ActionButton } from '../../ActionButton'
 import { TealiumButtonEventObject } from '../../../tealium'
 
-// Eventually ActionButton will be entirely swapped out for ModalToggleButton - part MCR-3782 when unlock reason modal is added
+// Eventually ActionButton will be entirely swapped out for ModalOpenButton - part MCR-3782 when unlock reason modal is added
 type UnlockRateButtonProps = JSX.IntrinsicElements['button'] &
     Partial<TealiumButtonEventObject>
 
diff --git a/services/app-web/src/contexts/AuthContext.tsx b/services/app-web/src/contexts/AuthContext.tsx
index 5bf9345426..ab85b68773 100644
--- a/services/app-web/src/contexts/AuthContext.tsx
+++ b/services/app-web/src/contexts/AuthContext.tsx
@@ -1,49 +1,54 @@
-import React, { MutableRefObject, useEffect, useRef, useState } from 'react'
+import React, { useState } from 'react'
 import { useLDClient } from 'launchdarkly-react-client-sdk'
 import * as ld from 'launchdarkly-js-client-sdk'
 import { AuthModeType } from '../common-code/config'
-import { useFetchCurrentUserQuery, User as UserType } from '../gen/gqlClient'
+import {extendSession} from '../pages/Auth/cognitoAuth'
+import {
+    FetchCurrentUserQuery,
+    useFetchCurrentUserQuery,
+    User as UserType,
+} from '../gen/gqlClient'
 import { logoutLocalUser } from '../localAuth'
 import { signOut as cognitoSignOut } from '../pages/Auth/cognitoAuth'
-import { featureFlags } from '../common-code/featureFlags'
-import { dayjs } from '../common-code/dateHelpers/dayjs'
 import { recordJSException } from '../otelHelpers/tracingHelper'
 import { handleApolloError } from '../gqlHelpers/apolloErrors'
-
-type LogoutFn = () => Promise<null>
-
-export type LoginStatusType = 'LOADING' | 'LOGGED_OUT' | 'LOGGED_IN'
-export const MODAL_COUNTDOWN_DURATION = 2 * 60 // session expiration modal counts down for 120 seconds (2 minutes)
+import { ApolloQueryResult } from '@apollo/client'
+
+// Constants and types
+type LoginStatusType = 'LOADING' | 'LOGGED_OUT' | 'LOGGED_IN'
+type LogoutType = 'TIMEOUT' | 'ERROR' | 'DEFAULT'
+const LOGOUT_TYPES:  Record<LogoutType, string> = {
+    TIMEOUT: 'SESSION_TIMEOUT',
+    ERROR: 'SESSION_ERROR',
+    DEFAULT: 'DEFAULT'
+}
+const LOGOUT_PATHS: Record<LogoutType, string> = {
+    TIMEOUT: `/?session-timeout=true`,
+    ERROR: `/?signin-error=true`,
+    DEFAULT: `/`
+}
 
 type AuthContextType = {
-    /* See docs/AuthContext.md for an explanation of some of these variables */
-    checkAuth: () => Promise<void> // this can probably be simpler, letting callers use the loading states etc instead.
-    checkIfSessionsIsAboutToExpire: () => void
+    checkAuth: (
+        failureRedirect?: string
+    ) => Promise<ApolloQueryResult<FetchCurrentUserQuery> | Error>
+    refreshAuth: () => Promise<void>
     loggedInUser: UserType | undefined
     loginStatus: LoginStatusType
-    logout:
-        | undefined
-        | (({ sessionTimeout }: { sessionTimeout: boolean }) => Promise<void>) // sessionTimeout true when logout is due to session ending
-    logoutCountdownDuration: number
-    sessionExpirationTime: MutableRefObject<dayjs.Dayjs | undefined>
-    sessionIsExpiring: boolean
-    setLogoutCountdownDuration: (value: number) => void
-    updateSessionExpirationState: (value: boolean) => void
-    updateSessionExpirationTime: () => void
+    logout: ({
+        type,
+    }: {
+        type: LogoutType,
+    }) => Promise<void>
 }
 
+// MAIN
 const AuthContext = React.createContext<AuthContextType>({
     checkAuth: () => Promise.reject(Error('Auth context error')),
-    checkIfSessionsIsAboutToExpire: () => void 0,
     loggedInUser: undefined,
     loginStatus: 'LOADING',
-    logout: undefined,
-    logoutCountdownDuration: 120,
-    sessionExpirationTime: { current: undefined },
-    sessionIsExpiring: false,
-    setLogoutCountdownDuration: () => void 0,
-    updateSessionExpirationState: () => void 0,
-    updateSessionExpirationTime: () => void 0,
+    refreshAuth: () => Promise.resolve(undefined),
+    logout: () => Promise.resolve(undefined),
 })
 
 export type AuthProviderProps = {
@@ -60,46 +65,11 @@ function AuthProvider({
     )
     const [loginStatus, setLoginStatus] =
         useState<LoginStatusType>('LOGGED_OUT')
-    const ldClient = useLDClient()
-
-    // session expiration modal
-    const [sessionIsExpiring, setSessionIsExpiring] = useState<boolean>(false)
 
-    const minutesUntilExpiration: number = ldClient?.variation(
-        featureFlags.MINUTES_UNTIL_SESSION_EXPIRES.flag,
-        featureFlags.MINUTES_UNTIL_SESSION_EXPIRES.defaultValue
-    )
-    const sessionExpirationTime = useRef<dayjs.Dayjs>(
-        dayjs(Date.now()).add(minutesUntilExpiration, 'minute')
-    )
-    const [logoutCountdownDuration, setLogoutCountdownDuration] =
-        useState<number>(MODAL_COUNTDOWN_DURATION)
-    const modalCountdownTimers = useRef<NodeJS.Timeout[]>([])
-    const sessionExpirationTimers = useRef<NodeJS.Timeout[]>([])
     const { loading, data, error, refetch } = useFetchCurrentUserQuery({
         notifyOnNetworkStatusChange: true,
     })
 
-    useEffect(() => {
-        if (sessionIsExpiring) {
-            const timer = setInterval(() => {
-                // decrement the countdown timer by one second per second
-                modalCountdownTimers.current.push(timer)
-                if (logoutCountdownDuration > 0) {
-                    setLogoutCountdownDuration(
-                        (logoutCountdownDuration) => logoutCountdownDuration - 1
-                    )
-                }
-            }, 1000)
-        } else {
-            modalCountdownTimers.current.forEach((timer) =>
-                clearInterval(timer)
-            )
-            modalCountdownTimers.current = []
-        }
-        // eslint-disable-next-line react-hooks/exhaustive-deps
-    }, [sessionIsExpiring]) // full dep array causes a loop, because we're resetting the dep in the useEffect
-
     const isAuthenticated = loggedInUser !== undefined
 
     // add current authenticated user to launchdarkly client
@@ -136,7 +106,6 @@ function AuthProvider({
     if (!loading) {
         if (error) {
             handleApolloError(error, isAuthenticated)
-
             if (isAuthenticated) {
                 setLoggedInUser(undefined)
                 setLoginStatus('LOGGED_OUT')
@@ -144,112 +113,113 @@ function AuthProvider({
                     `[User auth error]: Unable to authenticate user though user seems to be logged in. Message: ${error.message}`
                 )
                 // since we have an auth request error but a potentially logged in user, we log out fully from Auth context and redirect to dashboard for clearer user experience
-                window.location.href = '/?session-timeout=true'
+                window.location.href =  LOGOUT_PATHS.ERROR
             }
         } else if (data?.fetchCurrentUser) {
             if (!isAuthenticated) {
                 const currentUser = data.fetchCurrentUser
                 setLDUser(currentUser).catch((err) => {
-                    console.info(err)
+                    recordJSException(
+                        new Error(`Cannot set LD User. ${JSON.stringify(err)}`)
+                    )
                 })
                 setLoggedInUser(currentUser)
                 setLoginStatus('LOGGED_IN')
             }
         }
     }
+        /*
+        Close user session and handle redirect afterward
+
+        @param {sessionTimeout} will pass along a URL query param to display session expired alert
+        @param {redirectPath} optionally changes redirect path on logout - useful for cognito and local login\
+
+        Logout is called when user clicks to logout from header or session expiration modal
+        Also called in the background with session times out
+    */
+        const logout: AuthContextType['logout'] = async ({
+            type = 'DEFAULT',
+        }) => {
+            const realLogout =
+                authMode === 'LOCAL' ? logoutLocalUser : cognitoSignOut
+
+        const logoutResponse =  await realLogout()
+        if (logoutResponse instanceof Error) {
+            recordJSException(new Error(`Logout Failed. ${JSON.stringify(logoutResponse)}`))
+            window.location.href = LOGOUT_PATHS.ERROR
+        } else {
+            switch (type) {
+                case LOGOUT_TYPES.TIMEOUT: {
+                    window.location.href = LOGOUT_PATHS.TIMEOUT
+                    return
+                }
+                case  LOGOUT_TYPES.ERROR: {
+                    window.location.href = LOGOUT_PATHS.ERROR
+                    return
+                }
+                default: {
+                    window.location.href = LOGOUT_PATHS.DEFAULT
+                    return
+                }
+            }
+        }
 
-    const checkAuth = () => {
-        return new Promise<void>((resolve, reject) => {
-            refetch()
-                .then(() => {
-                    resolve()
-                })
-                .catch((e) => {
-                    console.info('Check Auth Failed.', e)
-                    reject(e)
-                })
-        })
-    }
 
-    const updateSessionExpirationState = (value: boolean) => {
-        if (sessionIsExpiring !== value) {
-            setSessionIsExpiring(loggedInUser !== undefined && value)
         }
-    }
 
-    const updateSessionExpirationTime = () => {
-        sessionExpirationTime.current = dayjs(Date.now()).add(
-            minutesUntilExpiration,
-            'minute'
-        )
-    }
 
-    const checkIfSessionsIsAboutToExpire = () => {
-        if (!sessionIsExpiring) {
-            const timer = setInterval(() => {
-                sessionExpirationTimers.current.push(timer)
-                let insideCountdownDurationPeriod = false
-                if (sessionExpirationTime.current) {
-                    insideCountdownDurationPeriod = dayjs(Date.now()).isAfter(
-                        dayjs(sessionExpirationTime.current).subtract(
-                            MODAL_COUNTDOWN_DURATION,
-                            'second'
-                        )
-                    )
-                }
-                if (insideCountdownDurationPeriod) {
-                    /* Once we're inside the countdown period, we can stop the interval that checks
-                whether we're inside the countdown period */
-                    sessionExpirationTimers.current.forEach((t) =>
-                        clearInterval(t)
-                    )
-                    sessionExpirationTimers.current = []
-                    updateSessionExpirationState(true)
-                }
-            }, 1000 * 30)
+    /*
+        Refetches current user via graphql to confirm authentication
+        Also can reconfirm authentication, if unexpectedly logged out we know that session may have timed out or user was logged out of another tab
+        @param {failureRedirectPath} passed through to logout which is called on certain checkAuth failures
+
+        Use this function to reconfirm the user is logged in. Also used in CognitoLogin
+    */
+    const checkAuth: AuthContextType['checkAuth'] = async () => {
+        try {
+            return await refetch()
+        } catch (e) {
+            // if we fail auth at a time we expected logged in user, the session may have timed out. Logout fully to reflect that and force React state update
+            if (loggedInUser) {
+                await logout({
+                    type: 'TIMEOUT'
+                })
+            } else {
+                await logout({
+                    type: 'DEFAULT'
+                })
+            }
+            return new Error(e)
         }
     }
-
-    const realLogout: LogoutFn =
-        authMode === 'LOCAL' ? logoutLocalUser : cognitoSignOut
-
-    const logout =
-        loggedInUser === undefined
-            ? undefined
-            : ({ sessionTimeout }: { sessionTimeout: boolean }) => {
-                  return new Promise<void>((_resolve, reject) => {
-                      realLogout()
-                          .then(() => {
-                              // Hard navigate back to /
-                              // this is more like how things work with IDM anyway.
-                              if (sessionTimeout) {
-                                  window.location.href =
-                                      '/?session-timeout=true'
-                              } else {
-                                  window.location.href = '/'
-                              }
-                          })
-                          .catch((e) => {
-                              console.info('Logout Failed.', e)
-                              reject(e)
-                          })
-                  })
-              }
+ /*
+        Refreshes the cognito session token
+        Also can reconfirm authentication, if unexpectedly logged out we know that session may have timed out
+        @param {failureRedirectPath} passed through to logout which is called on certain checkAuth failures
+    */
+    const refreshAuth = async () => {
+        if (authMode !== 'LOCAL') {
+            const result = await extendSession()
+            if (result instanceof Error){
+                if (loggedInUser) {
+                    await logout({
+                        type: 'TIMEOUT'
+                    })
+            }
+            }
+        }
+            return
+    }
 
     return (
         <AuthContext.Provider
             value={{
-                checkAuth,
-                checkIfSessionsIsAboutToExpire,
                 loggedInUser,
                 loginStatus,
+                checkAuth,
+                refreshAuth,
                 logout,
-                logoutCountdownDuration,
-                sessionExpirationTime,
-                sessionIsExpiring,
-                setLogoutCountdownDuration,
-                updateSessionExpirationState,
-                updateSessionExpirationTime,
+
             }}
             children={children}
         />
@@ -258,4 +228,9 @@ function AuthProvider({
 
 const useAuth = (): AuthContextType => React.useContext(AuthContext)
 
-export { AuthProvider, useAuth }
+export { LOGOUT_TYPES,LOGOUT_PATHS,  AuthProvider, useAuth }
+
+export type {
+    LoginStatusType,
+    AuthContextType
+}
\ No newline at end of file
diff --git a/services/app-web/src/contexts/PageContext.tsx b/services/app-web/src/contexts/PageContext.tsx
index d1bb9b748e..3bc0c8941d 100644
--- a/services/app-web/src/contexts/PageContext.tsx
+++ b/services/app-web/src/contexts/PageContext.tsx
@@ -1,6 +1,7 @@
 import * as React from 'react'
 import { PageHeadingsRecord } from '../constants/routes'
 import { useCurrentRoute } from '../hooks/useCurrentRoute'
+import { ModalRef } from '@trussworks/react-uswds'
 
 /*
     Use sparingly.
@@ -8,11 +9,17 @@ import { useCurrentRoute } from '../hooks/useCurrentRoute'
 */
 type PageContextType = {
     heading?: string | React.ReactElement
+    activeModalRef?: React.RefObject<ModalRef>
     updateHeading: ({
         customHeading,
     }: {
         customHeading?: string | React.ReactElement
     }) => void
+    updateModalRef: ({
+        updatedModalRef,
+    }: {
+        updatedModalRef?: React.RefObject<ModalRef>
+    }) => void
 }
 
 const PageContext = React.createContext(null as unknown as PageContextType)
@@ -28,7 +35,9 @@ const PageProvider: React.FC<
     const [heading, setHeading] = React.useState<
         string | React.ReactElement | undefined
     >(undefined)
+    const [activeModal, setActiveModal] = React.useState<React.RefObject<ModalRef>| undefined>(undefined)
     const { currentRoute: routeName } = useCurrentRoute()
+
     /*
         Set headings in priority order
         1. If there a custom heading, use that (relevant for heading related to the api loaded resource, such as the submission name)
@@ -50,9 +59,23 @@ const PageProvider: React.FC<
         })
     }
 
+    /*
+        Set a ref pointing to currently visible modal
+        - is reset in child components when new modal open or back to undefined when existing modal is closed
+        - help ensure only one modal open at a time
+        - used in AuthenticatedRouteWrapper to close open modals when session timeout hit
+    */
+        const updateModalRef = ({
+            updatedModalRef,
+        }: {
+            updatedModalRef?: React.RefObject<ModalRef>
+        }) => {
+           setActiveModal(updatedModalRef)
+        }
+
     return (
         <PageContext.Provider
-            value={{ heading, updateHeading }}
+            value={{ heading, updateHeading, activeModalRef: activeModal, updateModalRef}}
             children={children}
         />
     )
diff --git a/services/app-web/src/contexts/S3Context.tsx b/services/app-web/src/contexts/S3Context.tsx
index 3b508f2912..44a29b4c5f 100644
--- a/services/app-web/src/contexts/S3Context.tsx
+++ b/services/app-web/src/contexts/S3Context.tsx
@@ -4,6 +4,7 @@ import { S3FileData } from '../components'
 import type { S3ClientT } from '../s3'
 import { BucketShortName } from '../s3/s3Amplify'
 import { recordJSException } from '../otelHelpers'
+import { useAuth } from './AuthContext'
 
 type S3ContextT = {
     handleUploadFile: (
@@ -41,6 +42,7 @@ const useS3 = (): S3ContextT => {
     }
 
     const { deleteFile, uploadFile, scanFile, getS3URL } = context
+    const {checkAuth, logout} = useAuth()
 
     const handleUploadFile = async (
         file: File,
@@ -51,9 +53,14 @@ const useS3 = (): S3ContextT => {
         if (isS3Error(s3Key)) {
             const error = new Error(`Error in S3: ${file.name}`)
             recordJSException(error)
+            // s3 file upload failing could be due to IDM session timeout
+            // double check the user still has their session, if not, logout to update the React state with their login status
+            const responseCheckAuth = await checkAuth()
+            if (responseCheckAuth instanceof Error){
+                await logout({type: 'TIMEOUT'})
+            }
             throw error
         }
-
         const s3URL = await getS3URL(s3Key, file.name, bucket)
         return { key: s3Key, s3URL: s3URL }
     }
@@ -70,6 +77,12 @@ const useS3 = (): S3ContextT => {
                 recordJSException(error)
                 throw error
             }
+        // s3 file upload failing could be due to IDM session timeout
+            // double check the user still has their session, if not, logout to update the React state with their login status
+            const responseCheckAuth = await checkAuth()
+            if (responseCheckAuth instanceof Error){
+                await logout({type: 'TIMEOUT'})
+            }
             const error = new Error('Scanning error: Scanning retry timed out')
             recordJSException(error)
             throw error
diff --git a/services/app-web/src/localAuth/LocalLogin.tsx b/services/app-web/src/localAuth/LocalLogin.tsx
index 76d44ef575..cde97d915e 100644
--- a/services/app-web/src/localAuth/LocalLogin.tsx
+++ b/services/app-web/src/localAuth/LocalLogin.tsx
@@ -26,7 +26,8 @@ import azulaAvatar from '../assets/images/azula.png'
 
 import { useAuth } from '../contexts/AuthContext'
 import { LocalUserType } from './LocalUserType'
-import { ButtonWithLogging } from '../components'
+import { ButtonWithLogging, ErrorAlertSignIn } from '../components'
+import { recordJSException } from '../otelHelpers'
 
 const localUsers: LocalUserType[] = [
     {
@@ -113,20 +114,25 @@ const userAvatars: { [key: string]: string } = {
 }
 
 export function LocalLogin(): React.ReactElement {
-    const [showFormAlert, setShowFormAlert] = React.useState(false)
+    const hasSigninError = new URLSearchParams(location.search).get(
+        'signin-error'
+    )
+    const [showFormAlert, setShowFormAlert] = React.useState(hasSigninError? true : false)
     const navigate = useNavigate()
     const { checkAuth, loginStatus } = useAuth()
 
     async function login(user: LocalUserType) {
         loginLocalUser(user)
+            const result = await checkAuth()
+
+            if(result instanceof Error){
+                setShowFormAlert(true)
+                recordJSException(result)
+            } else {
+                navigate(RoutesRecord.ROOT)
+            }
+
 
-        try {
-            await checkAuth()
-            navigate(RoutesRecord.ROOT)
-        } catch (error) {
-            setShowFormAlert(true)
-            console.info('Log: Server Error')
-        }
     }
 
     return (
@@ -135,9 +141,7 @@ export function LocalLogin(): React.ReactElement {
             <h3>Local Login</h3>
             <div>Login as one of our hard coded users:</div>
             {showFormAlert && (
-                <Alert headingLevel="h4" type="error">
-                    Something went wrong
-                </Alert>
+                <ErrorAlertSignIn />
             )}
             <CardGroup>
                 {localUsers.map((user) => {
diff --git a/services/app-web/src/pages/App/App.tsx b/services/app-web/src/pages/App/App.tsx
index 8d0c7f122e..87fb61d5bb 100644
--- a/services/app-web/src/pages/App/App.tsx
+++ b/services/app-web/src/pages/App/App.tsx
@@ -56,15 +56,15 @@ function App({
             <TraceProvider>
                 <BrowserRouter>
                     <ApolloProvider client={apolloClient}>
-                        <S3Provider client={s3Client}>
                             <AuthProvider authMode={authMode}>
+                                <S3Provider client={s3Client}>
                                 <PageProvider>
                                     <TealiumProvider client={newTealiumClient}>
                                         <AppBody authMode={authMode} />
                                     </TealiumProvider>
                                 </PageProvider>
+                                </S3Provider>
                             </AuthProvider>
-                        </S3Provider>
                     </ApolloProvider>
                 </BrowserRouter>
             </TraceProvider>
diff --git a/services/app-web/src/pages/App/AppRoutes.test.tsx b/services/app-web/src/pages/App/AppRoutes.test.tsx
index 57cb6c0682..477d29a5a8 100644
--- a/services/app-web/src/pages/App/AppRoutes.test.tsx
+++ b/services/app-web/src/pages/App/AppRoutes.test.tsx
@@ -1,4 +1,4 @@
-import { screen, waitFor } from '@testing-library/react'
+import { screen, waitFor  } from '@testing-library/react'
 
 import { renderWithProviders } from '../../testHelpers/jestHelpers'
 import { AppRoutes } from './AppRoutes'
@@ -8,8 +8,8 @@ import {
     indexHealthPlanPackagesMockSuccess,
 } from '../../testHelpers/apolloMocks'
 
-// Routing and routes configuration
-describe('AppRoutes', () => {
+// Routing and routes configuration tested here, best layer for testing behaviors that cross several pages
+describe('AppRoutes and routing configuration', () => {
     Object.defineProperty(window, 'scrollTo', {
         writable: true,
         value: vi.fn(),
diff --git a/services/app-web/src/pages/App/AppRoutes.tsx b/services/app-web/src/pages/App/AppRoutes.tsx
index dfa0a1f282..7f34c487f3 100644
--- a/services/app-web/src/pages/App/AppRoutes.tsx
+++ b/services/app-web/src/pages/App/AppRoutes.tsx
@@ -2,7 +2,7 @@ import React, { Fragment, useEffect, useState } from 'react'
 import { useLocation, Navigate } from 'react-router'
 import { Route, Routes } from 'react-router-dom'
 import { useLDClient } from 'launchdarkly-react-client-sdk'
-import { extendSession, idmRedirectURL } from '../../pages/Auth/cognitoAuth'
+import {  idmRedirectURL } from '../../pages/Auth/cognitoAuth'
 import { assertNever, AuthModeType } from '../../common-code/config'
 import { PageTitlesRecord, RoutesRecord, RouteT } from '../../constants/routes'
 import { getRouteName } from '../../routeHelpers'
@@ -88,7 +88,7 @@ const StateUserRoutes = ({
         featureFlags.RATE_EDIT_UNLOCK.defaultValue
     )
     return (
-        <AuthenticatedRouteWrapper setAlert={setAlert} authMode={authMode}>
+        <AuthenticatedRouteWrapper>
             <Routes>
                 <Route
                     path={RoutesRecord.ROOT}
@@ -173,7 +173,7 @@ const CMSUserRoutes = ({
     stageName?: string
 }): React.ReactElement => {
     return (
-        <AuthenticatedRouteWrapper authMode={authMode} setAlert={setAlert}>
+        <AuthenticatedRouteWrapper>
             <Routes>
                 <Route
                     path={RoutesRecord.ROOT}
@@ -312,41 +312,17 @@ export const AppRoutes = ({
 }): React.ReactElement => {
     const {
         loggedInUser,
-        sessionIsExpiring,
-        updateSessionExpirationState,
-        updateSessionExpirationTime,
-        checkIfSessionsIsAboutToExpire,
     } = useAuth()
     const { pathname } = useLocation()
-    const ldClient = useLDClient()
     const [redirectPath, setRedirectPath] = useLocalStorage(
         'LOGIN_REDIRECT',
         null
     )
     const stageName = import.meta.env.VITE_APP_STAGE_NAME
-    const showExpirationModal: boolean = ldClient?.variation(
-        featureFlags.SESSION_EXPIRING_MODAL.flag,
-        featureFlags.SESSION_EXPIRING_MODAL.defaultValue
-    )
 
     const route = getRouteName(pathname)
     const { updateHeading } = usePage()
     const [initialPath] = useState(pathname) // this gets written on mount, so we don't call the effect on every path change
-    if (
-        loggedInUser !== undefined &&
-        sessionIsExpiring === false &&
-        showExpirationModal
-    ) {
-        // whenever we load a page, reset the logout timer and refresh the session
-        updateSessionExpirationTime()
-
-        if (authMode !== 'LOCAL') {
-            void extendSession()
-        }
-        updateSessionExpirationState(false)
-        // Every thirty seconds, check if the current time is within `countdownDurationSeconds` of the session expiration time
-        checkIfSessionsIsAboutToExpire()
-    }
 
     // This effect handles our initial redirect on login
     // This way, if you get a link to something and aren't logged in, you get
diff --git a/services/app-web/src/pages/Auth/Auth.test.tsx b/services/app-web/src/pages/Auth/Auth.test.tsx
index ef09ab3211..2f561550db 100644
--- a/services/app-web/src/pages/Auth/Auth.test.tsx
+++ b/services/app-web/src/pages/Auth/Auth.test.tsx
@@ -13,11 +13,14 @@ import {
 import { CognitoLogin } from './CognitoLogin'
 import { LocalLogin } from '../../localAuth'
 import { fetchCurrentUserMock } from '../../testHelpers/apolloMocks'
-/*  
+/*
 This file should only have basic user flows for auth. Form and implementation details are tested at the component level.
 */
 
 describe('Auth', () => {
+    afterEach( ()=>{
+        vi.clearAllMocks()
+    })
     describe('Cognito Login', () => {
         const userLogin = async (screen: Screen<typeof queries>) => {
             await userClickByRole(screen, 'button', {
@@ -37,16 +40,16 @@ describe('Auth', () => {
             await userClickByRole(screen, 'button', { name: 'Login' })
         }
 
-        it('displays signup form when logged out', () => {
+        it('displays signup form when logged out',async () => {
             renderWithProviders(<CognitoLogin />, {
                 apolloProvider: {
                     mocks: [fetchCurrentUserMock({ statusCode: 403 })],
                 },
             })
 
-            expect(
-                screen.getByRole('form', { name: 'Signup Form' })
-            ).toBeInTheDocument()
+
+            await screen.findByRole('form', { name: 'Signup Form' })
+
             expect(
                 screen.getByRole('button', { name: /SignUp/i })
             ).toBeInTheDocument()
@@ -94,8 +97,8 @@ describe('Auth', () => {
                 {
                     apolloProvider: {
                         mocks: [
-                            fetchCurrentUserMock({ statusCode: 403 }),
-                            fetchCurrentUserMock({ statusCode: 403 }),
+                            fetchCurrentUserMock({statusCode: 403}),
+                            fetchCurrentUserMock({statusCode: 200}),
                         ],
                     },
                     routerProvider: {
@@ -111,10 +114,10 @@ describe('Auth', () => {
             await waitFor(() => expect(testLocation.pathname).toBe('/'))
         })
 
-        it('when login fails, stay on page and display error alert', async () => {
+        it('when login fails, display error alert', async () => {
             const loginSpy = vi
                 .spyOn(CognitoAuthApi, 'signIn')
-                .mockRejectedValue(new Error('Login failed'))
+                .mockResolvedValue(new Error('Login failed'))
 
             let testLocation: Location
 
@@ -137,7 +140,10 @@ describe('Auth', () => {
             await waitFor(() => {
                 expect(loginSpy).toHaveBeenCalledTimes(1)
                 expect(testLocation.pathname).toBe('/auth')
+                expect(screen.getByRole('heading', {name:'Sign in error'})).toBeInTheDocument()
             })
+
+
         })
     })
 
@@ -146,18 +152,17 @@ describe('Auth', () => {
             window.localStorage.clear()
         })
 
-        it('displays aang and toph and zuko and roku and izumi and iroh when logged out', () => {
+        it('displays aang and toph and zuko and roku and izumi and iroh when logged out', async () => {
             renderWithProviders(<LocalLogin />, {
                 apolloProvider: {
                     mocks: [fetchCurrentUserMock({ statusCode: 403 })],
                 },
             })
 
-            expect(
-                screen.getByRole('img', {
+         await screen.findByRole('img', {
                     name: /Aang/i,
                 })
-            ).toBeInTheDocument()
+
 
             expect(
                 screen.getByRole('img', {
@@ -273,6 +278,7 @@ describe('Auth', () => {
             await userClickByTestId(screen, 'TophButton')
             await waitFor(() => {
                 expect(testLocation.pathname).toBe('/auth')
+                expect(screen.getByRole('heading', {name:'Sign in error'})).toBeInTheDocument()
             })
         })
     })
diff --git a/services/app-web/src/pages/Auth/Login.test.tsx b/services/app-web/src/pages/Auth/Login.test.tsx
index 1808c3d279..03781b3c21 100644
--- a/services/app-web/src/pages/Auth/Login.test.tsx
+++ b/services/app-web/src/pages/Auth/Login.test.tsx
@@ -121,7 +121,7 @@ describe('Cognito Login', () => {
     it('when login fails, stay on page and display error alert', async () => {
         const loginSpy = vi
             .spyOn(CognitoAuthApi, 'signIn')
-            .mockRejectedValue('Error has occurred')
+            .mockResolvedValue(new Error('Error has occurred'))
 
         let testLocation: Location
 
@@ -148,7 +148,7 @@ describe('Cognito Login', () => {
     it('when login is a failure, button is re-enabled', async () => {
         const loginSpy = vi
             .spyOn(CognitoAuthApi, 'signIn')
-            .mockRejectedValue(null)
+            .mockResolvedValue(new Error('somethign went wrong'))
 
         renderWithProviders(<Login />, {
             apolloProvider: { mocks: [failedAuthMock, failedAuthMock] },
diff --git a/services/app-web/src/pages/Auth/Login.tsx b/services/app-web/src/pages/Auth/Login.tsx
index 22757affa2..ba9e1489c9 100644
--- a/services/app-web/src/pages/Auth/Login.tsx
+++ b/services/app-web/src/pages/Auth/Login.tsx
@@ -1,17 +1,22 @@
-import React, { useState } from 'react'
+import React, { useState, useEffect } from 'react'
 import { Form, FormGroup, Label, TextInput } from '@trussworks/react-uswds'
 import { useNavigate } from 'react-router-dom'
 
 import { signIn } from '../Auth/cognitoAuth'
 import { useAuth } from '../../contexts/AuthContext'
-import { ButtonWithLogging, ErrorAlert } from '../../components'
+import { ButtonWithLogging, ErrorAlertSignIn } from '../../components'
+import { recordJSException } from '../../otelHelpers'
+import { RoutesRecord } from '../../constants'
 
 type Props = {
     defaultEmail?: string
 }
 
 export function Login({ defaultEmail }: Props): React.ReactElement {
-    const [showFormAlert, setShowFormAlert] = React.useState(false)
+    const hasSigninError = new URLSearchParams(location.search).get(
+        'signin-error'
+    )
+    const [showFormAlert, setShowFormAlert] = React.useState(hasSigninError? true: false)
     const [fields, setFields] = useState({
         loginEmail: defaultEmail || '',
         loginPassword: '',
@@ -19,7 +24,12 @@ export function Login({ defaultEmail }: Props): React.ReactElement {
 
     const navigate = useNavigate()
     const { loginStatus, checkAuth } = useAuth()
-    if (loginStatus === 'LOGGED_IN') navigate('/')
+    useEffect( () => {
+        if (loginStatus === 'LOGGED_IN') {
+            navigate(RoutesRecord.ROOT)
+        }
+    },[loginStatus, navigate])
+
 
     const onFieldChange = (event: React.ChangeEvent<HTMLInputElement>) => {
         const { id, value } = event.target
@@ -34,41 +44,25 @@ export function Login({ defaultEmail }: Props): React.ReactElement {
     async function handleSubmit(event: React.FormEvent) {
         event.preventDefault()
 
-        try {
-            const result = await signIn(fields.loginEmail, fields.loginPassword)
-
-            if (result && 'code' in result) {
-                if (result.code === 'UserNotConfirmedException') {
-                    // the user has not been confirmed, need to display the confirmation UI
-                    console.info(
-                        'you need to confirm your account, enter the code below'
-                    )
-                } else if (result.code === 'NotAuthorizedException') {
-                    // the password is bad
-                    console.info('bad password')
-                } else {
-                    console.info('Unknown error from Amplify: ', result)
-                }
+        const result =  await signIn(fields.loginEmail, fields.loginPassword)
+        if (result instanceof Error) {
+            setShowFormAlert(true)
+        } else {
+            // we think we signed in, double check that amplify - API connection agrees
+            const authResult = await checkAuth()
+            if(authResult instanceof Error) {
+                recordJSException(`Cognito Login Error - unexpected error after succeeding on signIn – ${authResult}`)
                 setShowFormAlert(true)
-                console.info('Error', result.message)
             } else {
-                try {
-                    await checkAuth()
-                } catch (e) {
-                    console.info('UNEXPECTED NOT LOGGED IN AFTER LOGGIN', e)
-                    setShowFormAlert(true)
-                }
-
-                navigate('/')
+                navigate(RoutesRecord.ROOT)
             }
-        } catch (err) {
-            console.info('Unexpected error signing in:', err)
         }
+
     }
 
     return (
         <Form onSubmit={handleSubmit} name="Login" aria-label="Login Form">
-            {showFormAlert && <ErrorAlert>Something went wrong</ErrorAlert>}
+            {showFormAlert &&   <ErrorAlertSignIn />}
             <FormGroup>
                 <Label htmlFor="loginEmail">Email</Label>
                 <TextInput
diff --git a/services/app-web/src/pages/Auth/Signup.tsx b/services/app-web/src/pages/Auth/Signup.tsx
index feec77c56f..61434680d0 100644
--- a/services/app-web/src/pages/Auth/Signup.tsx
+++ b/services/app-web/src/pages/Auth/Signup.tsx
@@ -2,7 +2,6 @@ import React, { useState, Dispatch, SetStateAction } from 'react'
 import { Form, FormGroup, Label, TextInput } from '@trussworks/react-uswds'
 
 import { signUp } from './cognitoAuth'
-import { recordJSException } from '../../otelHelpers'
 import { ButtonWithLogging } from '../../components'
 
 export function showError(error: string): void {
@@ -47,30 +46,23 @@ export function Signup({
         event.preventDefault()
         setIsLoading(true)
 
-        try {
-            const result = await signUp({
-                username: fields.email,
-                password: fields.password,
-                given_name: fields.firstName,
-                family_name: fields.lastName,
-                stateCode: 'MN',
-            })
-            setIsLoading(false)
+        const result = await signUp({
+            username: fields.email,
+            password: fields.password,
+            given_name: fields.firstName,
+            family_name: fields.lastName,
+            stateCode: 'MN',
+        })
+        setIsLoading(false)
+
+            if (result instanceof Error) {
+                showError('An unexpected error occurred!')
 
-            if ('code' in result) {
-                const err = result
-                console.info('got an error back from signup: ', err)
             } else {
-                const user = result
-                console.info('got a user back', user)
                 setEmail(fields.email)
                 triggerConfirmation()
             }
-        } catch (err) {
-            setIsLoading(false)
-            showError('An unexpected error occurred!')
-            recordJSException(new Error(err))
-        }
+
     }
 
     return (
diff --git a/services/app-web/src/pages/Auth/cognitoAuth.ts b/services/app-web/src/pages/Auth/cognitoAuth.ts
index 5a5aa231e0..abe1d893bd 100644
--- a/services/app-web/src/pages/Auth/cognitoAuth.ts
+++ b/services/app-web/src/pages/Auth/cognitoAuth.ts
@@ -1,6 +1,7 @@
 import { CognitoUser } from 'amazon-cognito-identity-js'
 import { Auth as AmplifyAuth } from 'aws-amplify'
 import { StateUser } from '../../gen/gqlClient'
+import { recordJSException } from '../../otelHelpers'
 
 type newUser = {
     username: string
@@ -19,7 +20,7 @@ type AmplifyErrorCodes =
     | 'NetworkError'
     | 'InvalidParameterException'
 
-export interface AmplifyError {
+interface AmplifyError {
     code: AmplifyErrorCodes
     name: string
     message: string
@@ -51,11 +52,11 @@ export function idmRedirectURL(): string {
     return url
 }
 
-export async function signUp(
+async function signUp(
     user: newUser
-): Promise<CognitoUser | AmplifyError> {
-    try {
-        const result = await AmplifyAuth.signUp({
+): Promise<CognitoUser | Error> {
+  try {
+    const response = await AmplifyAuth.signUp({
             username: user.username,
             password: user.password,
             attributes: {
@@ -65,115 +66,111 @@ export async function signUp(
                 'custom:role': 'macmcrrs-state-user',
             },
         })
-        return result.user
-    } catch (e) {
-        console.info('ERROR SIGNUP', e)
-
-        if (isAmplifyError(e)) {
-            if (e.code === 'UsernameExistsException') {
+        return response.user
+    } catch (response) {
+        if (isAmplifyError(response)) {
+            if (response.code === 'UsernameExistsException') {
                 console.info('that username already exists....')
-                return e
-            } else if (e.code === 'NetworkError') {
+            }
+            if (response.code === 'NetworkError') {
                 console.info(
                     'Failed to connect correctly to Amplify on Signup??'
                 )
-                return e
-            } else {
-                // if amplify returns an error in a format we don't expect, let's throw it for now.
-                // might be against the spirit of never throw, but this is our boundary with a system we don't control.
-                console.info('unexpected cognito error!')
-                throw e
             }
-        } else {
-            throw e
         }
+        return response
     }
 }
 
-export async function confirmSignUp(
+async function confirmSignUp(
     email: string,
     code: string
-): Promise<null | AmplifyError> {
+): Promise<null | Error> {
     try {
         await AmplifyAuth.confirmSignUp(email, code)
         return null
-    } catch (e) {
-        if (isAmplifyError(e)) {
-            if (e.code === 'ExpiredCodeException') {
-                console.info(
-                    'your code is expired, we are sending another one.'
-                )
-                return e
-            } else {
-                throw e
-            }
-        } else {
-            throw e
-        }
+    } catch (response) {
+        if (isAmplifyError(response) && (response.code === 'ExpiredCodeException')) {
+            console.info(
+                'Your code is expired, amplify will send another one.'
+            )
+    }
+    recordJSException(response)
+    return response
     }
 }
 
-export async function resendSignUp(
+async function resendSignUp(
     email: string
-): Promise<null | AmplifyError> {
-    try {
-        await AmplifyAuth.resendSignUp(email)
-        return null
-    } catch (e) {
-        // no known handleable errors for this one...
-        console.info('unknown err', e)
-        throw e
-    }
+): Promise<null | Error> {
+   try {
+    await AmplifyAuth.resendSignUp(email)
+    return null
+   } catch (response ) {
+    recordJSException(response)
+    return response
+   }
 }
 
-export async function signIn(
+async function signIn(
     email: string,
     password: string
-): Promise<CognitoUser | AmplifyError> {
+): Promise<CognitoUser | Error> {
     try {
-        const result = await AmplifyAuth.signIn(email, password)
-        return result.user
-    } catch (e) {
-        if (isAmplifyError(e)) {
-            if (e.code === 'UserNotConfirmedException') {
-                console.info(
-                    'you need to confirm your account, enter the code below'
+        const response = await AmplifyAuth.signIn(email, password)
+        return response.user
+    } catch (response) {
+        if(isAmplifyError(response)) {
+            if (response.code === 'UserNotConfirmedException') {
+                recordJSException(
+                    `AmplifyError ${response.code} – you need to confirm your account, enter the code below`
                 )
-                return e
-            } else if (e.code === 'NotAuthorizedException') {
-                console.info('unknown user or password?')
-                return e
-            } else if (e.code === 'UserNotFoundException') {
-                console.info('user does not exist')
-                return e
+            } else if (response.code === 'NotAuthorizedException') {
+                recordJSException(`AmplifyError ${response.code} – this is probably a bad password`)
+            } else if (response.code === 'UserNotFoundException') {
+                recordJSException(`AmplifyError ${response.code} – user does not exist`)
             } else {
-                // if amplify returns an error in a format we don't expect, let's throw it for now.
-                // might be against the spirit of never throw, but this is our boundary with a system we don't control.
-                throw e
+                recordJSException(`UNEXPECTED AmplifyError ${response.code} – ${response.message}`)
             }
         } else {
-            console.info('didnt even get an amplify error back from login')
-            throw e
+            recordJSException(`UNEXPECTED SIGNIN ERROR – 'didnt even get an amplify error back from login`)
         }
+        return response
     }
 }
 
-export async function signOut(): Promise<null> {
-    try {
-        await AmplifyAuth.signOut()
-        return null
-    } catch (e) {
-        console.info('error signing out: ', e)
-        throw e
+async function signOut(): Promise<null | Error> {
+   try {
+    await AmplifyAuth.signOut()
+    return null
+    } catch (response) {
+            recordJSException( response)
+           return response
     }
+
 }
 
-export async function extendSession(): Promise<null> {
+async function extendSession(): Promise<null | Error> {
     try {
         await AmplifyAuth.currentSession()
         return null
-    } catch (e) {
-        console.info('error extending session: ', e)
-        throw e
+    } catch (response) {
+        recordJSException(response)
+        return response
     }
+
 }
+
+export {
+    extendSession,
+    confirmSignUp,
+    resendSignUp,
+    signIn,
+    signUp,
+    signOut,
+}
+
+export type {
+    AmplifyError,
+    AmplifyErrorCodes
+}
\ No newline at end of file
diff --git a/services/app-web/src/pages/Landing/Landing.test.tsx b/services/app-web/src/pages/Landing/Landing.test.tsx
index 4db33a461e..45a95871c9 100644
--- a/services/app-web/src/pages/Landing/Landing.test.tsx
+++ b/services/app-web/src/pages/Landing/Landing.test.tsx
@@ -1,24 +1,48 @@
 import { screen } from '@testing-library/react'
 import { renderWithProviders } from '../../testHelpers/jestHelpers'
 import { Landing } from './Landing'
+import { LOGOUT_PATHS } from '../../contexts/AuthContext'
 
 describe('Landing', () => {
     afterAll(() => vi.clearAllMocks())
 
     it('displays session expired when query parameter included', async () => {
         renderWithProviders(<Landing />, {
-            routerProvider: { route: '/?session-timeout' },
+            routerProvider: { route: LOGOUT_PATHS.TIMEOUT },
             featureFlags: {
                 'site-under-maintenance-banner': false,
             },
         })
         expect(
             screen.queryByRole('heading', { name: 'Session expired' })
-        ).toBeNull()
+        ).toBeDefined()
         expect(
             screen.queryByText(/You have been logged out due to inactivity/)
+        ).toBeDefined()
+        expect(
+            screen.queryByRole('heading', { name: 'Sign in error' })
+        ).toBeNull()
+    })
+
+
+    it('displays signin error when query parameter included', async () => {
+        renderWithProviders(<Landing />, {
+            routerProvider: { route: '/?signin-error' },
+            featureFlags: {
+                'site-under-maintenance-banner': false,
+            },
+        })
+        expect(
+            screen.queryByRole('heading', { name: 'Sign in error' })
+        ).toBeDefined()
+        expect(
+            screen.queryByText(/There has been an error signing in/)
+        ).toBeDefined()
+        expect(
+            screen.queryByRole('heading', { name: 'Session expired' })
         ).toBeNull()
     })
+
     it('does not display session expired by default', async () => {
         renderWithProviders(<Landing />, {
             routerProvider: { route: '/' },
diff --git a/services/app-web/src/pages/Landing/Landing.tsx b/services/app-web/src/pages/Landing/Landing.tsx
index d202d5ed4e..c05f3d0690 100644
--- a/services/app-web/src/pages/Landing/Landing.tsx
+++ b/services/app-web/src/pages/Landing/Landing.tsx
@@ -9,6 +9,7 @@ import {
     ErrorAlertSessionExpired,
     ErrorAlertScheduledMaintenance,
     LinkWithLogging,
+    ErrorAlertSignIn,
 } from '../../components'
 
 function maintenanceBannerForVariation(flag: string): React.ReactNode {
@@ -36,6 +37,9 @@ export const Landing = (): React.ReactElement => {
         'session-timeout'
     )
 
+    const redirectFromSigninError = new URLSearchParams(location.search).get(
+        'signin-error'
+    )
     return (
         <>
             <section className={styles.detailsSection}>
@@ -43,6 +47,9 @@ export const Landing = (): React.ReactElement => {
                     {maybeMaintenaceBanner}
                     {redirectFromSessionTimeout && !maybeMaintenaceBanner && (
                         <ErrorAlertSessionExpired />
+                    )}
+                     {redirectFromSigninError && !maybeMaintenaceBanner && (
+                        <ErrorAlertSignIn />
                     )}
                     <Grid row gap className="margin-top-2">
                         <Grid tablet={{ col: 6 }}>
diff --git a/services/app-web/src/pages/StateSubmission/ReviewSubmit/V2/ReviewSubmit/ReviewSubmitV2.tsx b/services/app-web/src/pages/StateSubmission/ReviewSubmit/V2/ReviewSubmit/ReviewSubmitV2.tsx
index 1e534c70b0..b2d5aa4efc 100644
--- a/services/app-web/src/pages/StateSubmission/ReviewSubmit/V2/ReviewSubmit/ReviewSubmitV2.tsx
+++ b/services/app-web/src/pages/StateSubmission/ReviewSubmit/V2/ReviewSubmit/ReviewSubmitV2.tsx
@@ -1,7 +1,6 @@
 import {
     GridContainer,
     ModalRef,
-    ModalToggleButton,
 } from '@trussworks/react-uswds'
 import React, { useRef, useState, useEffect } from 'react'
 import { useNavigate } from 'react-router-dom'
@@ -12,12 +11,11 @@ import { ActionButton } from '../../../../../components/ActionButton'
 import {
     useRouteParams,
     useStatePrograms,
-    useTealium,
 } from '../../../../../hooks'
 import { useLDClient } from 'launchdarkly-react-client-sdk'
 
 import { RoutesRecord } from '../../../../../constants'
-import { UnlockSubmitModal } from '../../../../../components/Modal/V2/UnlockSubmitModalV2'
+import { UnlockSubmitModal } from '../../../../../components/Modal/UnlockSubmitModal'
 import { getVisibleLatestContractFormData } from '../../../../../gqlHelpers/contractsAndRates'
 import { useAuth } from '../../../../../contexts/AuthContext'
 import { RateDetailsSummarySection } from '../../RateDetailsSummarySection'
@@ -34,6 +32,7 @@ import { packageName } from '../../../../../common-code/healthPlanFormDataType'
 import { usePage } from '../../../../../contexts/PageContext'
 import { activeFormPages } from '../../../StateSubmissionForm'
 import { featureFlags } from '../../../../../common-code/featureFlags'
+import { ModalOpenButton } from '../../../../../components/Modal'
 
 export const ReviewSubmit = (): React.ReactElement => {
     const navigate = useNavigate()
@@ -43,7 +42,6 @@ export const ReviewSubmit = (): React.ReactElement => {
     const { updateHeading } = usePage()
     const { id } = useRouteParams()
     const [isSubmitting, setIsSubmitting] = useState<boolean>(false)
-    const { logButtonEvent } = useTealium()
     const ldClient = useLDClient()
 
     const hideSupportingDocs = ldClient?.variation(
@@ -190,25 +188,15 @@ export const ReviewSubmit = (): React.ReactElement => {
                     >
                         Back
                     </ActionButton>
-                    <ModalToggleButton
+                    <ModalOpenButton
                         modalRef={modalRef}
                         className={styles.submitButton}
-                        data-testid="form-submit"
-                        onClick={() =>
-                            logButtonEvent({
-                                text: 'Submit',
-                                button_type: 'button',
-                                button_style: 'success',
-                                parent_component_type: 'page body',
-                            })
-                        }
-                        opener
+                        id="form-submit"
                     >
                         Submit
-                    </ModalToggleButton>
+                    </ModalOpenButton>
                 </PageActionsContainer>
 
-                {/* if the session is expiring, close this modal so the countdown modal can appear */}
                 <UnlockSubmitModal
                     submissionData={contract}
                     submissionName={submissionName}
diff --git a/services/app-web/src/pages/SubmissionSummary/SubmissionSummary.tsx b/services/app-web/src/pages/SubmissionSummary/SubmissionSummary.tsx
index 45ae4a77ad..f6fb3a5e11 100644
--- a/services/app-web/src/pages/SubmissionSummary/SubmissionSummary.tsx
+++ b/services/app-web/src/pages/SubmissionSummary/SubmissionSummary.tsx
@@ -2,7 +2,6 @@ import {
     GridContainer,
     Link,
     ModalRef,
-    ModalToggleButton,
 } from '@trussworks/react-uswds'
 import React, { useEffect, useRef, useState } from 'react'
 import { useAuth } from '../../contexts/AuthContext'
@@ -24,7 +23,7 @@ import { Error404 } from '../Errors/Error404Page'
 import { GenericErrorPage } from '../Errors/GenericErrorPage'
 import styles from './SubmissionSummary.module.scss'
 import { ChangeHistory } from '../../components/ChangeHistory'
-import { UnlockSubmitModal } from '../../components/Modal'
+import { ModalOpenButton, UnlockSubmitModal } from '../../components/Modal'
 import { RoutesRecord } from '../../constants'
 import { useRouteParams } from '../../hooks'
 import { getVisibleLatestContractFormData } from '../../gqlHelpers/contractsAndRates'
@@ -39,16 +38,14 @@ function UnlockModalButton({
     modalRef: React.RefObject<ModalRef>
 }) {
     return (
-        <ModalToggleButton
+        <ModalOpenButton
             modalRef={modalRef}
             className={styles.submitButton}
-            data-testid="form-submit"
+            id="form-submit"
             disabled={disabled}
-            outline
-            opener
         >
             Unlock submission
-        </ModalToggleButton>
+        </ModalOpenButton>
     )
 }
 
diff --git a/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.test.tsx b/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.test.tsx
index 0211c6c9b2..6628a362ef 100644
--- a/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.test.tsx
+++ b/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.test.tsx
@@ -1,13 +1,26 @@
-import { screen, waitFor } from '@testing-library/react'
+import { screen, waitFor} from '@testing-library/react'
 import { renderWithProviders } from '../../testHelpers/jestHelpers'
 import { AuthenticatedRouteWrapper } from './AuthenticatedRouteWrapper'
-import * as AuthContext from '../../contexts/AuthContext'
+import { createMocks } from 'react-idle-timer';
+import * as CognitoAuthApi from '../Auth/cognitoAuth'
+import { dayjs } from '../../common-code/dateHelpers';
+
+
+describe('AuthenticatedRouteWrapper and SessionTimeoutModal', () => {
+    beforeAll(() => {
+        vi.useFakeTimers();
+        createMocks();
+      });
+
+      afterAll(() => {
+        vi.runOnlyPendingTimers();
+        vi.useRealTimers();
+        vi.clearAllMocks();
+      });
 
-describe('AuthenticatedRouteWrapper', () => {
     it('renders without errors', async () => {
         renderWithProviders(
             <AuthenticatedRouteWrapper
-                authMode="LOCAL"
                 children={<div>children go here</div>}
             />
         )
@@ -15,75 +28,172 @@ describe('AuthenticatedRouteWrapper', () => {
         expect(kids).toBeInTheDocument()
     })
 
-    it('hides the modal by default', async () => {
+    it('hides the session timeout modal by default', async () => {
         renderWithProviders(
             <AuthenticatedRouteWrapper
-                authMode="LOCAL"
                 children={<div>children go here</div>}
-            />
+            />,
+            {  featureFlags: {
+                'session-expiration-minutes': 3,
+                'session-expiring-modal': true
+            }}
         )
-        const dialog = screen.getByRole('dialog')
-        await waitFor(() => expect(dialog).toHaveClass('is-hidden'))
+        const dialog = await screen.findByRole('dialog', {name: 'Session Expiring'})
+        expect(dialog).toBeInTheDocument()
+        expect(dialog).toHaveClass('is-hidden')
     })
 
-    it('shows the modal when sessionIsExpiring is true', async () => {
-        vi.spyOn(AuthContext, 'useAuth').mockReturnValue({
-            loggedInUser: {
-                __typename: 'StateUser' as const,
-                state: {
-                    name: 'Minnesota',
-                    code: 'MN',
-                    programs: [
-                        {
-                            id: 'abbdf9b0-c49e-4c4c-bb6f-040cb7b51cce',
-                            fullName: 'Special Needs Basic Care',
-                            name: 'SNBC',
-                            isRateProgram: false,
-                        },
-                        {
-                            id: 'd95394e5-44d1-45df-8151-1cc1ee66f100',
-                            fullName: 'Prepaid Medical Assistance Program',
-                            name: 'PMAP',
-                            isRateProgram: false,
-                        },
-                        {
-                            id: 'ea16a6c0-5fc6-4df8-adac-c627e76660ab',
-                            fullName: 'Minnesota Senior Care Plus ',
-                            name: 'MSC+',
-                            isRateProgram: false,
-                        },
-                        {
-                            id: '3fd36500-bf2c-47bc-80e8-e7aa417184c5',
-                            fullName: 'Minnesota Senior Health Options',
-                            name: 'MSHO',
-                            isRateProgram: false,
-                        },
-                    ],
-                },
-                id: 'foo-id',
-                givenName: 'Bob',
-                familyName: 'Dumas',
-                role: 'State User',
-                email: 'bob@dmas.mn.gov',
-            },
-            loginStatus: 'LOGGED_IN',
-            checkAuth: () => Promise.reject(Error('Auth context error')),
-            logout: () => Promise.resolve(),
-            sessionIsExpiring: true,
-            updateSessionExpirationState: () => void 0,
-            logoutCountdownDuration: 120,
-            sessionExpirationTime: { current: undefined },
-            updateSessionExpirationTime: () => void 0,
-            checkIfSessionsIsAboutToExpire: () => void 0,
-            setLogoutCountdownDuration: () => void 0,
-        })
+    it("hides the session timeout modal by when timeout period is not exceeded", async() => {
+        renderWithProviders(
+            <AuthenticatedRouteWrapper
+                children={<div>children go here</div>}
+            />,
+            {  featureFlags: {
+                'session-expiration-minutes': 3,
+                'session-expiring-modal': true
+            }}
+        )
+
+        const dialogOnLoad = await screen.findByRole('dialog', {name: 'Session Expiring'})
+        expect(dialogOnLoad).toHaveClass('is-hidden')
+        await vi.advanceTimersByTimeAsync(500);
+        const dialogAfterIdle = await screen.findByRole('dialog', {name: 'Session Expiring'})
+        expect(dialogAfterIdle).toHaveClass('is-hidden')
+      });
+
+
+    it("renders session timeout modal after idle prompt period is exceeded", async () => {
         renderWithProviders(
             <AuthenticatedRouteWrapper
-                authMode="LOCAL"
+                children={<div>children go here</div>}
+            />,
+            {  featureFlags: {
+                'session-expiration-minutes': 2,
+                'session-expiring-modal': true
+            }}
+        )
+        const dialogOnLoad = await screen.findByRole('dialog', {name: 'Session Expiring'})
+        expect(dialogOnLoad).toBeInTheDocument()
+        expect(dialogOnLoad).toHaveClass('is-hidden')
+
+        await vi.advanceTimersByTimeAsync(1000);
+
+        const dialogAfterIdle = await screen.findByRole('dialog', {name: 'Session Expiring'})
+        await waitFor( () => {
+            expect(dialogAfterIdle).toHaveClass('is-visible')
+        })
+      });
+
+
+    it("renders session timeout modal and if countdown elapses and user does nothing, calls sign out", async () => {
+        const logoutSpy = vi
+        .spyOn(CognitoAuthApi, 'signOut')
+        .mockResolvedValue(null)
+
+
+        renderWithProviders(
+            <div>
+                <AuthenticatedRouteWrapper
+                children={<div>children go here</div>}
+            />
+            </div>,
+            {  featureFlags: {
+                'session-expiration-minutes': 2,
+                'session-expiring-modal': true
+            }}
+        )
+
+            const dialogOnLoad = await screen.findByRole('dialog', {name: 'Session Expiring'})
+            expect(dialogOnLoad).toBeInTheDocument()
+            expect(dialogOnLoad).toHaveClass('is-hidden')
+
+            await vi.advanceTimersByTimeAsync(1000);
+            const dialogAfterIdle = await screen.findByRole('dialog', {name: 'Session Expiring'})
+            await waitFor ( () => {
+                expect(dialogAfterIdle).toHaveClass('is-visible')
+            })
+
+            await vi.advanceTimersByTimeAsync(120100);
+            expect(logoutSpy).toHaveBeenCalled()
+
+        });
+
+    it('renders countdown inside session timeout modal that updates every second', async() => {
+        renderWithProviders(
+            <div>
+                <AuthenticatedRouteWrapper
+                children={<div>children go here</div>}
+            />
+            </div>,
+            {  featureFlags: {
+                'session-expiration-minutes': 2,
+                'session-expiring-modal': true
+            }}
+        )
+        await screen.findByRole('dialog', {name: 'Session Expiring'})
+        await vi.advanceTimersByTimeAsync(1000)
+        const timeElapsedBefore =  screen.getByTestId('remaining').textContent
+        await vi.advanceTimersByTimeAsync(1000)
+        const timeElapsedAfter =  screen.getByTestId('remaining').textContent
+
+        const diff =  dayjs(timeElapsedBefore, 'mm:ss').diff(dayjs(timeElapsedAfter, 'mm:ss'), 'milliseconds')
+        expect(diff).toBe(1000)
+    })
+
+    it('session timeout modal continue session button click will refresh the user session', async ()=>{
+        const refreshSpy = vi
+        .spyOn(CognitoAuthApi, 'extendSession')
+        .mockResolvedValue(null)
+
+        renderWithProviders(
+            <div>
+                <AuthenticatedRouteWrapper
+                children={<div>children go here</div>}
+            />
+            </div>,
+            {  featureFlags: {
+                'session-expiration-minutes': 2,
+                'session-expiring-modal': true
+            }}
+        )
+            await screen.findByRole('dialog', {name: 'Session Expiring'})
+            await vi.advanceTimersByTimeAsync(1000);
+            const dialogAfterIdle = await screen.findByRole('dialog', {name: 'Session Expiring'})
+           await waitFor( () => {
+            expect(dialogAfterIdle).toHaveClass('is-visible')
+           }) ;
+            (await screen.findByText('Continue Session')).click()
+            await screen.findByRole('dialog', {name: 'Session Expiring'})
+            await waitFor(() => {
+                expect(dialogAfterIdle).not.toHaveClass('is-visible');
+            })
+            expect(refreshSpy).toHaveBeenCalled()
+    })
+
+    it('session timeout modal Logout button click will logout user session', async () =>{
+        const logoutSpy = vi
+        .spyOn(CognitoAuthApi, 'signOut')
+        .mockResolvedValue(null)
+
+
+        renderWithProviders(
+            <div>
+                <AuthenticatedRouteWrapper
                 children={<div>children go here</div>}
             />
+            </div>,
+            {  featureFlags: {
+                'session-expiration-minutes': 2,
+                'session-expiring-modal': true
+            }}
         )
-        const dialog = screen.getByRole('dialog')
-        await waitFor(() => expect(dialog).toHaveClass('is-visible'))
+            await screen.findByRole('dialog', {name: 'Session Expiring'})
+            await vi.advanceTimersByTimeAsync(1000);
+            const dialogAfterIdle = await screen.findByRole('dialog', {name: 'Session Expiring'});
+            await waitFor( () => {
+                expect(dialogAfterIdle).toHaveClass('is-visible');
+            });
+            (await screen.findByText('Logout')).click()
+            expect(logoutSpy).toHaveBeenCalled()
     })
 })
diff --git a/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.tsx b/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.tsx
index 9a1e991145..ae3aeeb4ed 100644
--- a/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.tsx
+++ b/services/app-web/src/pages/Wrapper/AuthenticatedRouteWrapper.tsx
@@ -1,108 +1,103 @@
-import React, { useState } from 'react'
-import { Modal } from '../../components/Modal/Modal'
+import React from 'react'
 import { ModalRef } from '@trussworks/react-uswds'
-import { createRef, useCallback, useEffect } from 'react'
-import { MODAL_COUNTDOWN_DURATION, useAuth } from '../../contexts/AuthContext'
-import { AuthModeType } from '../../common-code/config'
-import { extendSession } from '../Auth/cognitoAuth'
-import styles from '../StateSubmission/ReviewSubmit/ReviewSubmit.module.scss'
-import { dayjs } from '../../common-code/dateHelpers/dayjs'
-import { recordJSException } from '../../otelHelpers'
-import { ErrorAlertSignIn } from '../../components'
+import { createRef} from 'react'
+import { useAuth } from '../../contexts/AuthContext'
+import { useLDClient } from 'launchdarkly-react-client-sdk'
+import { featureFlags } from '../../common-code/featureFlags'
+import { SessionTimeoutModal } from '../../components/Modal/SessionTimeoutModal'
+import { IdleTimerProvider } from 'react-idle-timer'
+import { usePage } from '../../contexts/PageContext'
 
-export const AuthenticatedRouteWrapper = ({
+const SESSION_ACTIONS = {
+    LOGOUT_SESSION: 'LOGOUT_SESSION',
+    CONTINUE_SESSION: 'CONTINUE_SESSSION'
+}
+
+// AuthenticatedRouteWrapper control access to protected routes and the session timeout modal
+// For more on expected behavior for session timeout see feature-brief-session-expiration.md
+const AuthenticatedRouteWrapper = ({
     children,
-    setAlert,
-    authMode,
 }: {
     children: React.ReactNode
-    setAlert?: React.Dispatch<React.ReactElement>
-    authMode: AuthModeType
 }): React.ReactElement => {
-    const {
-        logout,
-        sessionIsExpiring,
-        logoutCountdownDuration,
-        updateSessionExpirationState,
-        updateSessionExpirationTime,
-        setLogoutCountdownDuration,
-    } = useAuth()
-    const [announcementSeed] = useState<number>(logoutCountdownDuration)
-    const announcementTimes: number[] = []
-    for (let i = announcementSeed; i > 0; i -= 10) {
-        announcementTimes.push(i)
-    }
     const modalRef = createRef<ModalRef>()
+    const ldClient = useLDClient()
+    const  {logout, refreshAuth} = useAuth()
+    const {activeModalRef, updateModalRef} = usePage()
 
-    const logoutSession = useCallback(
-        (forcedSessionSignout: boolean) => {
-            updateSessionExpirationState(false)
-            if (logout) {
-                logout({ sessionTimeout: forcedSessionSignout }).catch((e) => {
-                    recordJSException(`Error with logout: ${e}`)
-                    setAlert && setAlert(<ErrorAlertSignIn />)
-                })
-            }
-        },
-        [logout, setAlert, updateSessionExpirationState]
-    )
+    const openSessionTimeoutModal = () =>{
+        // Make sure we close any active modals for session timeout, should overrides the focus trap
+        if(activeModalRef && activeModalRef !== modalRef) {
+            activeModalRef.current?.toggleModal(undefined, false)
+            updateModalRef({updatedModalRef: modalRef})
+        }
+
+        modalRef.current?.toggleModal(undefined, true)
+    }
+    const closeSessionTimeoutModal = () => {
+        modalRef.current?.toggleModal(undefined, false)
+    }
+    const logoutBySessionTimeout = async () => {
+        closeSessionTimeoutModal()
+        await logout({type: 'TIMEOUT'})}
+    const logoutByUserChoice  = async () =>  {
+        closeSessionTimeoutModal()
+        await logout({type: 'DEFAULT'})
+    }
+    const refreshSession = async () => {
+        closeSessionTimeoutModal()
+        await refreshAuth()
+    }
 
-    const resetSessionTimeout = () => {
-        updateSessionExpirationState(false)
-        updateSessionExpirationTime()
-        setLogoutCountdownDuration(MODAL_COUNTDOWN_DURATION)
-        if (authMode !== 'LOCAL') {
-            void extendSession()
+    // For multi-tab support we emit messages related to user actions on the session timeout modal
+    const onMessage = async ({action}: {action: 'LOGOUT_SESSION' | 'CONTINUE_SESSION'}) => {
+      switch (action) {
+        case 'LOGOUT_SESSION':
+            await logoutByUserChoice()
+            break;
+        case 'CONTINUE_SESSION':
+                await refreshSession()
+                break
+        default:
+            // no op
         }
     }
 
-    useEffect(() => {
-        modalRef.current?.toggleModal(undefined, sessionIsExpiring)
-    }, [sessionIsExpiring, modalRef])
+     // All time increment constants must be milliseconds
+     const RECHECK_FREQUENCY = 500
+     const SESSION_TIMEOUT_COUNTDOWN = 2 * 60 * 1000
+     const SESSION_DURATION: number = ldClient?.variation(
+        featureFlags.MINUTES_UNTIL_SESSION_EXPIRES.flag,
+        featureFlags.MINUTES_UNTIL_SESSION_EXPIRES.defaultValue
+    ) * 60 * 1000 //  controlled by feature flag for testing in lower environments
+    const SHOW_SESSION_EXPIRATION:boolean = ldClient?.variation(
+        featureFlags.SESSION_EXPIRING_MODAL.flag,
+        featureFlags.SESSION_EXPIRING_MODAL.defaultValue
+    )//  controlled by feature flag for testing in lower environments
+    let promptCountdown = SESSION_TIMEOUT_COUNTDOWN //  may be reassigned if session duration is shorter time period
 
-    useEffect(() => {
-        if (logoutCountdownDuration < 1) {
-            logoutSession(true)
-        }
-    }, [logoutCountdownDuration, logoutSession])
-    return (
-        <>
-            {
-                <Modal
-                    modalRef={modalRef}
-                    id="extend-session-modal"
-                    modalHeading="Session Expiring"
-                    onSubmitText="Continue Session"
-                    onCancelText="Logout"
-                    onCancel={() => logoutSession(false)}
-                    submitButtonProps={{ className: styles.submitButton }}
-                    onSubmit={resetSessionTimeout}
-                    forceAction={true}
-                >
-                    <p
-                        aria-live={
-                            announcementTimes.includes(logoutCountdownDuration)
-                                ? 'assertive'
-                                : 'off'
-                        }
-                        aria-atomic={true}
-                    >
-                        Your session is going to expire in{' '}
-                        {dayjs
-                            .duration(logoutCountdownDuration, 'seconds')
-                            .format('mm:ss')}{' '}
-                    </p>
-                    <p>
-                        If you would like to extend your session, click the
-                        Continue Session button
-                    </p>
-                    <p>
-                        If you would like to end your session now, click the
-                        Logout button
-                    </p>
-                </Modal>
-            }
+    // Session duration must be longer than prompt countdown to allow IdleTimer to load
+     if (SESSION_DURATION <= SESSION_TIMEOUT_COUNTDOWN) {
+        promptCountdown = SESSION_DURATION - 1000
+     }
+
+    return (<IdleTimerProvider
+            onIdle={logoutBySessionTimeout}
+            onActive={refreshSession}
+            onPrompt={ SHOW_SESSION_EXPIRATION ? openSessionTimeoutModal: undefined}
+            promptBeforeIdle={promptCountdown}
+            timeout={SESSION_DURATION}
+            throttle={RECHECK_FREQUENCY}
+            // cross tab props
+            onMessage={onMessage}
+            syncTimers={RECHECK_FREQUENCY}
+            crossTab={true}
+    >
             {children}
-        </>
-    )
+            <SessionTimeoutModal
+                modalRef={modalRef}
+            />
+            </IdleTimerProvider>)
 }
+
+export {SESSION_ACTIONS, AuthenticatedRouteWrapper}
\ No newline at end of file