Make WordPress Core

Opened 5 weeks ago

#44161 new enhancement

Expired session tokens need to be removed from database because GDPR

Reported by: mechter Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: needs-patch
Focuses: Cc:


WordPress stores the IP address (which is considered personal information) as part of its session tokens in the usermeta table. When the session expires, GDPR would seem to require the IP address to be removed from the database, as there is no longer a reason to keep it.

There should be some kind of garbage collection that removes expired session tokens on a daily basis.

Change History (0)

Note: See TracTickets for help on using tickets.