Make WordPress Core

Opened 21 months ago

Last modified 13 months ago

#44161 new enhancement

Expired session tokens need to be removed from database because GDPR

Reported by: mechter Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: 2nd-opinion
Focuses: Cc:


WordPress stores the IP address (which is considered personal information) as part of its session tokens in the usermeta table. When the session expires, GDPR would seem to require the IP address to be removed from the database, as there is no longer a reason to keep it.

There should be some kind of garbage collection that removes expired session tokens on a daily basis.

Change History (4)

This ticket was mentioned in Slack in #core-privacy by lakenh. View the logs.

14 months ago

#2 @desrosj
14 months ago

  • Keywords 2nd-opinion added; needs-patch removed

Hey @mechter, thanks for this ticket!

I am not sure that the IP should be erased automatically after a session expires. I would argue that it still holds a purpose, even for expired sessions. Say a user logs in and reviews their sessions. In my opinion, the IP address is important information because it helps the user confirm that a session rightfully belongs to them.

This also would be fairly difficult to accomplish, especially on sites with many users. Session data is stored in user meta on a per-user basis. This would require crawling through every user and checking every session in their meta key in some way.

I am inclined to close this as a wontfix, but I am going to leave this open for others to weigh in.

While reviewing this during this week's Privacy component office hours (transcript link above), it came to our attention that the session data, which could be considered personally identifiable, is not currently included in the data export. #45889 has been opened to tackle that.

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.

13 months ago

#4 @postphotos
13 months ago

@desrosj - I am inclined to agree with you philosophically here, and thanks for weighing in, though I think through a strict interpretation of IP data rules, @mechter might be right as it's part of the data that is recorded about a given user on a site. (Thanks for opening this ticket!)

Regarding this:

There should be some kind of garbage collection that removes expired session tokens on a daily basis.

I think in some organizations that are really concerned, the idea of session management could be entirely disabled and this would be a reasonable option. That being said, I think it's useful for a user to review their login history with a given site.

Would totally love others to weigh in as well!

Note: See TracTickets for help on using tickets.