The code added in https://www.drupal.org/SA-CORE-2017-003 required writing to the session every time an anonymous user uploads a private file. This can have performance implications since the session cookie means those users won't see cached pages after the upload.
The information in the session needs to be there after the file is uploaded so that the user can preview the file before saving the content it is attached to. However, it doesn't need to be there after that.
Therefore, it would be a useful improvement if we can figure out how to delete the record of that file from the user's session once the content is permanently saved (or once the file is deleted). That way, in many cases the anonymous user who uploaded the file will be able to go back to receiving cached pages again.
Comments
Comment #3
xjm