[wp-trac] [WordPress Trac] #44161: Expired session tokens need to be removed from database because GDPR
WordPress Trac
noreply at wordpress.org
Wed Jan 9 21:12:13 UTC 2019
#44161: Expired session tokens need to be removed from database because GDPR
-------------------------+------------------------------
Reporter: mechter | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 4.9.6
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
-------------------------+------------------------------
Changes (by desrosj):
* keywords: needs-patch => 2nd-opinion
Comment:
Hey @mechter, thanks for this ticket!
I am not sure that the IP should be erased automatically after a session
expires. I would argue that it still holds a purpose, even for expired
sessions. Say a user logs in and reviews their sessions. In my opinion,
the IP address is important information because it helps the user confirm
that a session rightfully belongs to them.
This also would be fairly difficult to accomplish, especially on sites
with many users. Session data is stored in user meta on a per-user basis.
This would require crawling through every user and checking every session
in their meta key in some way.
I am inclined to close this as a `wontfix`, but I am going to leave this
open for others to weigh in.
While reviewing this during this week's Privacy component office hours
(transcript link above), it came to our attention that the session data,
which could be considered personally identifiable, is not currently
included in the data export. #45889 has been opened to tackle that.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44161#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list