The reason for not working $_SESSIONS in WP Core:
The thing WordPress is doing with sessions is burdened inside ~/wp-includes/load.php.
The responsible function for resetting the $_SESSION to null is wp_unregister_GLOBALS(). So in case you really need it, you’ll have to turn register_globals off in your php.ini file.
/**
* Turn register globals off.
*
* @access private
* @since 2.1.0
* @return null Will return null if register_globals PHP directive was disabled
*/
function wp_unregister_GLOBALS() {
if ( !ini_get( 'register_globals' ) )
return;
if ( isset( $_REQUEST['GLOBALS'] ) )
die( 'GLOBALS overwrite attempt detected' );
// Variables that shouldn't be unset
$no_unset = array( 'GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix' );
$input = array_merge( $_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset( $_SESSION ) && is_array( $_SESSION ) ? $_SESSION : array() );
foreach ( $input as $k => $v )
if ( !in_array( $k, $no_unset ) && isset( $GLOBALS[$k] ) ) {
$GLOBALS[$k] = null;
unset( $GLOBALS[$k] );
}
}
The idea behind it?
Also of note, is that technically there is no real need for sessions, there are always other avenues. Sessions rely on a session ID to validate and provide continuance, but these can be intercepted/predicted/stolen, at which point someone can impersonate you
– by @TomJNowell in the comments.