2 Suggestions For Improvement: GDPR Compliance And PHPSESSID Replacement

1) For GDPR compliance, can you please add an option to disable IP address collection?

Another feature for GDPR compliance would be an opt-in box. Otherwise, IP address is collected illegally from European Union residents unless they were asked to give consent right after landing on the website. However, an option to disable IP address collection would be a great first step in the direction of compliance.

2) There are better mechanisms than PHPSESSID cookies. Good explanation of the reasons it’s not good from https://kinsta.com/blog/wordpress-cookies-php-sessions/ – is below.

“The problem with PHP sessions all comes down to performance and caching issues. The information stored in the browser cookie has to bounce back and forth with each request so that the server knows who the user is. This means for sites that use PHPSESSID, the host would have to set the PHPSESSID to bypass the cache. However, the result is that PHPSESSID would have to be set to bypass 100% of the time, because unlike wordpress_logged_in, the PHPSESSID is set on every single PHP request.

So imagine that the wordpress_logged_in had to be set 100% of the time to allow login functionality to work. Meaning that even logged-out users would have to have the cookie and it would have to be unique to them. Imagine that was required in order for the WordPress login system to work. In that scenario, every single page view would have to bypass cache so that the wordpress_logged_in cookie was set correctly both for logged in and logged out users.

That’s the problem with using PHPSESSID. Because it’s generated on every single PHP request, if a site relies on PHPSESSID cookies the host would have to set PHPSESSID to bypass cache 100% of the time. Otherwise, the PHPSESSID’s end up cached and it messes up whatever functionality relies on it.”