[wp-trac] [WordPress Trac] #63389: Add a UI in core to manage and revoke user login sessions

Sun May 4 16:12:10 UTC 2025

#63389: Add a UI in core to manage and revoke user login sessions
--------------------------------+-----------------------------
 Reporter:  smahjoob            |      Owner:  (none)
     Type:  feature request     |     Status:  assigned
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Users               |    Version:
 Severity:  normal              |   Keywords:
  Focuses:  ui, administration  |
--------------------------------+-----------------------------
 WordPress has supported token-based session management via the
 WP_Session_Tokens class since version 4.0. However, there is currently no
 built-in UI to allow users or site administrators to view, inspect, or
 revoke active login sessions. This functionality is essential for security
 and transparency, and has become a standard feature in most modern content
 and identity management systems.

 🧪 Proposed Feature:
 Introduce a new admin interface to display and manage a user’s active
 login sessions. This feature would:

 Display a list of all current sessions for the logged-in user (or for
 administrators, optionally any user).

 Show session metadata such as:

 Last activity timestamp

 IP address

 User agent (browser/device)

 Allow revocation of individual sessions via a “Log out” button.

 Include a global “Log out everywhere else” button to destroy all other
 sessions except the current one.

 🛠️ Implementation:
 This feature can leverage the existing WP_Session_Tokens API:

 WP_Session_Tokens::get_instance( $user_id )->get_all()

 ->destroy( $token )

 ->destroy_others( $current_token )

 The UI could be:

 A new section in the Profile screen (/wp-admin/profile.php)

 Or a dedicated screen under Users > Sessions for administrators (e.g.,
 /wp-admin/users.php?page=sessions)

 🎯 Why in Core?
 Security: Provides users with visibility and control over active sessions,
 helping detect suspicious activity.

 Privacy Compliance: Supports user data transparency and rights to session
 termination (e.g., GDPR).

 Ecosystem Consistency: Reduces dependency on plugins for basic security
 needs.

 Low Complexity: Since the session API is already in core, this feature is
 mostly a UI enhancement, with minimal performance overhead.

 🔗 Related Work:
 WordPress Core API: WP_Session_Tokens

 Similar plugin attempts: “Simple History”, “User Session Control”, etc. —
 all partial implementations with no core integration.

 ✅ Summary:
 A native session management interface aligns with WordPress’s goals of
 usability, security, and data transparency. This would be a lightweight
 but high-impact enhancement for millions of WordPress sites.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63389>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform