Wordpress session management

Question

I'm putting up a site using Wordpress and I'd like to piggyback on its sessions. But I'm not finding any plugins, or even documentation. Any suggestions or references before I start hacking it?

Note: I'm asking about if and how WP uses standard PHP sessions itself, not how to add PHP sessions e.g. using session_start(). Apparently any state WP maintains is accomplished by other means. So if I want to use PHP sessions I need to add and maintain it myself entirely, using techniques like those in the thread.

Thanks all!

Better solution here: http://wordpress.stackexchange.com/a/72744/20261 — kuzey beytar, Nov 16 '12 at 13:54

Andrey Rudenko · Answer 1 · 2018-01-23T16:03:53.580

18

It's a very bad idea to modify WP Core files for the ability to use sessions. The best way I've found is to call the session_start() from init action hook.

function kana_init_session() {
  session_start();
}

add_action('init', 'kana_init_session', 1);

You can place it in functions.php file of your theme.

Detailed article can be found here: http://www.kanasolution.com/2011/01/session-variable-in-wordpress/

edited Jan 23 '18 at 16:03

answered Jan 22 '11 at 17:42

Andrey Rudenko

1,271
20
34

score 15 · Accepted Answer · edited Aug 15 '18 at 23:48

15

WordPress doesn't appear to call session_start() because it wants to be stateless and if register_globals is defined, it automatically destroys your $_SESSION

edited Aug 15 '18 at 23:48

Bhargav Rao

50,140
28
121
140

answered Mar 25 '10 at 08:43

Steve

3,601
4
34
41

Thanks - from that I learned that you can call session_start() yourself in wp_config, which won't be overwritten by updates. But better than that, I'm using wp_config to instantiate a singleton instance of a "Context" class I'm using to hold a bunch of stuff I'm adding (including e.g. extended user auth tables etc.), and it can call session_start(). Your reference clarified it for me. (Now I need to maintain wp_settings with his patch to retain $_SESSION, or else use the consolidated "$input" array. Or let "Context" maintain and update the session variables.) I hate it when they do that. – dkretz Mar 26 '10 at 01:43
2

Link is dead, but it's in the wayback machine https://web.archive.org/web/20161021035452/http://www.thinkingoutloud.co.za/content/20091012/php_wordpress_and_session – Kaktus Jul 12 '17 at 14:40

score 5 · Answer 3 · edited Nov 29 '12 at 10:56

For what I need to do, the best answer involves:

To allow the cookie for wordpress to persist across subdomains, install the Root Cookie plugin.
sub1.domain.com has wordpress; sub2.domain.com is another site. From the other site (sub2), I read the cookies to identify who the user is and if the user is logged in.

My cookies are as follows:

[wordpress_909bb230b32f5f0473202684d863b2e0] => mshaffer|1255298821|d0249fced9c323835c5bf7e84ad3ffea
[wordpress_logged_in_909bb230b32f5f0473202684d863b2e0] => mshaffer|1255298821|56e9c19541ecb596a1fa0995da935700

Using PHP, I can loop over the cookies, parse the key=>value pairs. These cookies let me know that [mshaffer] has a cookie stored on wordpress, and also is authenticated as logged_in. The expiry of the cookie is 1255298821.

In sub2, I can query the database of wordpress and grab the user info:

SELECT * FROM `wp_users` WHERE user_login = 'mshaffer' ... grab user_id, user_email from this query

SELECT * FROM `wp_usermeta` WHERE user_id = '$user_id' ... grab lots of other data from wp

With this info, I can add to my sub2 session variable / cookie and do what I want with the data. I can identify if I am logged in, and my username ... which let's me grab lots of different data. I can now use WordPress authentication in my sub2.domain.com and redirect accordingly.

monte

{x:

Bear in mind that you can't rely on the cookie being genuine. I could send your site a cookie with any username I wish. The long hex string is (I think) a cryptographic checksum which you need to parse to ensure the cookie was set by WordPress. — Tamlyn, Nov 28 '12 at 14:05
Certainly Tamlyn you can pass additional salt/pepper in the cookie and additional checks on comparison. — mshaffer, May 23 '14 at 13:13

score 5 · Answer 4 · edited Apr 13 '17 at 12:37

Consider using WordPress Transient API

Values stored using the Transient API are visible to all users, not just the current user, depending on the unique identifier used to retrieve the transient, you could assign each user a unique identifier essentially causing a transient to behave very much like a session.

Further considerations:

Depending on a users setup with object cache, etc., transients may not always be stored in the DB (e.g. memcached), using transients for sessions could mean that the data can get bulky and fill memory quickly (in the use of memcached).
Also, it seems that WP does not do auto garbage collection for transients: https://wordpress.stackexchange.com/questions/6602/are-transients-garbage-collected

score 3 · Answer 5 · answered Oct 04 '09 at 04:16

3

Wordpress doesn't seem to use any sessions.

The best way to go about it is to use the action hooks it provides.

answered Oct 04 '09 at 04:16

Anraiki

786
1
10
26

2

You are completely incorrect, Anraiki. **Wordpress surely does use Sessions**. And.. additionally, if you want to use your own custom session values, follow the following way: You need to add following lines at the top of `wp-config.php` if (!session_id()) { session_start(); } Then add following line at the top of `header.php` session_start(); – Alvin Nov 02 '11 at 06:42
4

WordPress uses cookies, not sessions – Ian Jamieson Mar 05 '13 at 11:10
WordPress by default does not use sessions. – Brian C May 23 '18 at 02:26

score 1 · Answer 6 · answered Aug 09 '12 at 11:59

1

Have you checked the solution here this may work for here and its on easy way

http://thedigilife.com/wordpress-how-to-set-session-custom-variable-while-login/

answered Aug 09 '12 at 11:59

Chirag Kalani

368
2
9

score 1 · Answer 7 · answered Aug 10 '12 at 14:48

1

Hooking a function with session_start() on wp_loaded seems to work in this case.

answered Aug 10 '12 at 14:48

vmassuchetto

1,529
1
20
44

score 1 · Answer 8 · edited Nov 24 '12 at 21:20

1

Put this code in wp-config.php at first line:

if (!session_id()) {
    session_start();
}

Put this code in theme's header.php at first line:

session_start();

Then it will maintain all session variables.

edited Nov 24 '12 at 21:20

Garrett Hyde

5,409
8
49
55

answered Apr 13 '11 at 12:08

meddyman

19
1

This is nice, but don't do both. Putting it in wp-config.php is a problem as it will always create a session, and that uses resources. Even bot hits would create a session - one per hit as they don't do cookies. That's a lot of sessions! – Brian C May 23 '18 at 02:07

score -1 · Answer 9 · answered Nov 02 '11 at 06:45

-1

If you wanna use your own session values, Wordpress does support it.

You need to add following lines at the top of wp-config.php

if (!session_id()) {
    session_start();
}

Then add following line at the top of header.php

session_start();

answered Nov 02 '11 at 06:45

Alvin

1,850
4
15
17

Editing wo-config.php isn't real good if you are writing a plugin. If a plugin needs it, hook session_start() into init or wp_loaded. Worth noting that the fact that you can edit wp-config.php like this doesn't mean that WordPress actually supports it as such - after all, you are doing all the code. There is a serious problem here as well - putting session_start() means that every hit, even bots, will create a new session in your session folder. If you get a lot of traffic this can fill up and cause various problems, so best to only create a session when/where it is needed. – Brian C May 23 '18 at 02:25

Wordpress session management

9 Answers9

Linked