Add a UI in core to manage and revoke user login sessions

[smahjoob]

WordPress has supported token-based session management via the WP_Session_Tokens class since version 4.0. However, there is currently no built-in UI to allow users or site administrators to view, inspect, or revoke active login sessions. This functionality is essential for security and transparency, and has become a standard feature in most modern content and identity management systems.

🧪 Proposed Feature:
Introduce a new admin interface to display and manage a user’s active login sessions. This feature would:

Display a list of all current sessions for the logged-in user (or for administrators, optionally any user).

Show session metadata such as:

Last activity timestamp

IP address

User agent (browser/device)

Allow revocation of individual sessions via a “Log out” button.

Include a global “Log out everywhere else” button to destroy all other sessions except the current one.

🛠️ Implementation:
This feature can leverage the existing WP_Session_Tokens API:

WP_Session_Tokens::get_instance( $user_id )->get_all()

->destroy( $token )

->destroy_others( $current_token )

The UI could be:

A new section in the Profile screen (/wp-admin/profile.php)

Or a dedicated screen under Users > Sessions for administrators (e.g., /wp-admin/users.php?page=sessions)

🎯 Why in Core?
Security: Provides users with visibility and control over active sessions, helping detect suspicious activity.

Privacy Compliance: Supports user data transparency and rights to session termination (e.g., GDPR).

Ecosystem Consistency: Reduces dependency on plugins for basic security needs.

Low Complexity: Since the session API is already in core, this feature is mostly a UI enhancement, with minimal performance overhead.

🔗 Related Work:
WordPress Core API: WP_Session_Tokens

Similar plugin attempts: “Simple History”, “User Session Control”, etc. — all partial implementations with no core integration.

✅ Summary:
A native session management interface aligns with WordPress’s goals of usability, security, and data transparency. This would be a lightweight but high-impact enhancement for millions of WordPress sites.

[audrasjb]

Hello, welcome to WordPress Core Trac and thank you for the feature proposal,

There is already a handful of plugins to handle this. In WordPress Core, one of the philosophy guidelines states "Decision, not Option" which means that a feature should be useful for 80% of websites. I'm unsure there is a majority of websites that would really need this feature. And maybe the majority of WordPress websites are single-user ones.

By the way, such a feature could be a simple action link in the user edit screen. So it doesn't add any new screen of a big and complex component.
For now, I still think this falls under the plugin territory area, but I'm keeping it open to gather other opinions :)

[jorbin]

During the development of the current UI for session management (see #30264), the initial version built allowed for fine grain control of sessions but user testing showed that this was unnecessary for the overwhelming majority of sites. This led to the current implementation (the logout everywhere else for the current user and the logout everywhere for others). Something that is more fine-grained is 100% plugin territory.

[smahjoob]

Thank you @audrasjb and @jorbin for your feedback on my ticket. I will take note of these points.