Expired session tokens need to be removed from database because GDPR

[mechter]

WordPress stores the IP address (which is considered personal information) as part of its session tokens in the usermeta table. When the session expires, GDPR would seem to require the IP address to be removed from the database, as there is no longer a reason to keep it.

There should be some kind of garbage collection that removes expired session tokens on a daily basis.

[desrosj]

Hey @mechter, thanks for this ticket!

I am not sure that the IP should be erased automatically after a session expires. I would argue that it still holds a purpose, even for expired sessions. Say a user logs in and reviews their sessions. In my opinion, the IP address is important information because it helps the user confirm that a session rightfully belongs to them.

This also would be fairly difficult to accomplish, especially on sites with many users. Session data is stored in user meta on a per-user basis. This would require crawling through every user and checking every session in their meta key in some way.

I am inclined to close this as a wontfix, but I am going to leave this open for others to weigh in.

While reviewing this during this week's Privacy component office hours (transcript link above), it came to our attention that the session data, which could be considered personally identifiable, is not currently included in the data export. #45889 has been opened to tackle that.

[postphotos]

@desrosj - I am inclined to agree with you philosophically here, and thanks for weighing in, though I think through a strict interpretation of IP data rules, @mechter might be right as it's part of the data that is recorded about a given user on a site. (Thanks for opening this ticket!)

Regarding this:

There should be some kind of garbage collection that removes expired session tokens on a daily basis.

I think in some organizations that are really concerned, the idea of session management could be entirely disabled and this would be a reasonable option. That being said, I think it's useful for a user to review their login history with a given site.

Would totally love others to weigh in as well!

[tha_sun]

The GDPR dictates that you need to approach this question from the opposite end:

If you have a legitimate reason to retain user data for showing a history of logins to all your users, and you actually do it (whereas WordPress Core does not do it and I'm not aware of a plugin that does it), then you can disable the cleanup on your site (or install a plugin that saves the data in a better way).

This recommended default behavior is supported by further technical evidence:

There are various complaints from WordPress site administrators across the net running into fatal server errors, because some of their user accounts have so many session_tokens that their site is exceeding the PHP memory limit.

Cleaning up expired session tokens not only supports data privacy but also prevents a bad user experience with WordPress for site administrators. The data is obsolete, useless, and in a poor format.