[wp-trac] [WordPress Trac] #44161: Expired session tokens need to be removed from database because GDPR

WordPress Trac noreply at wordpress.org
Wed Jan 9 21:12:13 UTC 2019

#44161: Expired session tokens need to be removed from database because GDPR
 Reporter:  mechter      |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Privacy      |     Version:  4.9.6
 Severity:  normal       |  Resolution:
 Keywords:  2nd-opinion  |     Focuses:
Changes (by desrosj):

 * keywords:  needs-patch => 2nd-opinion


 Hey @mechter, thanks for this ticket!

 I am not sure that the IP should be erased automatically after a session
 expires. I would argue that it still holds a purpose, even for expired
 sessions. Say a user logs in and reviews their sessions. In my opinion,
 the IP address is important information because it helps the user confirm
 that a session rightfully belongs to them.

 This also would be fairly difficult to accomplish, especially on sites
 with many users. Session data is stored in user meta on a per-user basis.
 This would require crawling through every user and checking every session
 in their meta key in some way.

 I am inclined to close this as a `wontfix`, but I am going to leave this
 open for others to weigh in.

 While reviewing this during this week's Privacy component office hours
 (transcript link above), it came to our attention that the session data,
 which could be considered personally identifiable, is not currently
 included in the data export. #45889 has been opened to tackle that.

Ticket URL: <https://core.trac.wordpress.org/ticket/44161#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list