Using session in WP without trouble with the API REST

The only way to make this go away is to not use PHP sessions and use cookies directly instead.

PHP sessions are fundamentally incompatible with a lot of page caching and CDN mechanisms e.g. cloudflare, Varnish, or full page caching plugins such as batcache or WP Supercache. PHP Sessions are also turned off and disabled on a lot of WP hosts e.g. WP Engine.

You cannot rely on PHP sessions in WordPress, especially if you want to write portable code or sell themes/plugins.

PHP Sessions also can’t be used to bypass cookies as the session ID itself is stored in a cookie. There are also security consequences as the user can change this ID in the browser dev tools to retrieve the information of other users. This is much harder with cookie based sessions. In PHP sessions the data is stored server side so I only need to know the right ID for the application to fetch the other persons session details. In cookie based sessions though the data is sent in the HTTP request and is not persisted in server memory, so I need to steal that cookie from your machine to impersonate you which is easier said than done.

Instead use standard cookies. e.g. setcookie( 'key', 'value' );. This is what WordPress itself does, it’s also how a lot of e-commerce sites implement carts ( think for a moment, how do sites that aren’t built in PHP do it? PHP sessions are unnecessary ).

Related Posts:

  1. PHP 7.2 – Warning: count(): Parameter must be an array or an object that implements Countable
  2. Sticky and NON-Sticky sessions
  3. Session timeout in ASP.NET
  4. Authentication: JWT usage vs session
  5. How to use my own custom session value in WordPress?
  6. achieving login implementation without using sessions
  7. Destroy user sessions based on user ID
  8. Enable WordPress Sessions
  9. Where is the wordpress session stored?
  10. Share session between my site and WP blog [closed]
  11. How to get outside login data (session) in WordPress?
  12. Session problem in PHP – trying to create a simple CAPTCHA
  13. Multi-instance WordPress usingn Memcached to handle sessions requests login every time a requests is handled by a different server
  14. Would this be achieveable?
  15. Re-use Nonce in Repeating Event Signup Buttons
  16. Plugin is attempting to start a session with WordPress. WP Session Manager will not work! DomPdf
  17. Session is not working properly
  18. Retrieve parameter from url
  19. Session constantly resets variable
  20. sharing the same cookie session with multiple wordpress installs on the same domain?
  21. How to check if the user was redirected?
  22. Session stays active until page update in dashboard
  23. Parsing session info between WordPress and non-WordPress
  24. $_SESSION dosent’t work
  25. Form submission: PHP S_SESSION statements within a foreach loop
  26. What are sessions? How do they work?
  27. How to use cURL to send Cookies?
  28. “Cannot send session cache limiter – headers already sent”
  29. How do I expire a PHP session after 30 minutes?
  30. PHP sessions that have already been started
  31. Session variables not working php
  32. How reduce wordpress login session timeout time?
  33. Removing username from the ‘wordpress_logged_in’ cookie
  34. Are transients private or public?
  35. Is it possible to transfer a WordPress session to a different browser via query string?
  36. Disable WordPress 3.6 idle logout / login modal window / session expiration
  37. How to pass users back and forth using session data?
  38. Allow up to 5 Concurrent Login Sessions
  39. How to fake a WordPress login?
  40. Does using set_transient() function can lead to MySQL problems?
  41. Clearing cookie on logout and session expiration
  42. Display message once per session to users with a specific role
  43. share login/logout sessions across two installs?
  44. Handling nonces for actions from guests to logged-in users
  45. How can I get logged in user’s session data from admin-ajax?
  46. How do I extend auto logout on idle OR redirect inline popup
  47. $_SESSION variables lost during OAuth callback
  48. 2 different post->IDs for single page load only in Firefox
  49. how to logout user on browser tab or window closes
  50. Custom query form submission pagination
  51. Site Health : An active PHP session was detected
  52. WooCommerce: Change default country on the cart page [closed]
  53. pass-protected pages and posts not protected after enter them 1 time
  54. Trigger a function immeditely after a user posted a comment
  55. Disconnect automattically after X minutes
  56. How to implement a $_SESSION alternative in WordPress inside a theme without a plugin?
  57. WordPress Keeps Logging Out – What Tests Can I Run to Solve This?
  58. How to store post ID’s in cookie or session to display the same posts later
  59. Share WordPress login info with other PHP app
  60. Change the default 10-day expiration for the password protected pages cookie
  61. iframe does not store session/cookie when refresh parent
  62. Login/Logout Session Sharing – Multiple WordPress Installations
  63. Disallow second login session
  64. Permalink structure with $_SESSION variables
  65. Unique session WordPress
  66. Safe to start a php session on get_header action?
  67. Unset session variable on page reload / setup but exclude AJAX
  68. Run query_posts if SESSION is empty?
  69. How to change WordPress cookies to be session-only
  70. How do I add $_SESSION[”] to my wordpress page?
  71. Updating transient value frequently
  72. Custom $_SESSION expires too early
  73. Store and Change Session variable – PHP SESSION VARIABLE
  74. PHP session when called wp_ajax_nopriv
  75. WordPress Website with Login system
  76. Error when setting cookie
  77. Add session or cookie to remember last menu location
  78. Replacing a placeholder term with a session variable value in taxonomy filter
  79. Set cookie parameters on wp site – PHP not working?
  80. Session management issues with WordPRess 404 Error page
  81. Plugin or ways to limit number of users logging in the website,
  82. Restricting wordpress login sessions for a web app
  83. Like and Dislike Buttons on Post with Counter – Only allow one click per post per user session
  84. Correct user session/cookie handling with external site connection in wordpress
  85. Requiring a Visitor to Enter a Password Each Time They visit a Page
  86. after logout session not destroy from server/website side
  87. Best hook for when a user session ends?
  88. Pass WordPress variable to the next page
  89. ajax polling with admin-ajax.php
  90. How to destroy all user sessions via WP-CLI
  91. Session variables lost during Ajax calls – WordPress – Sage Starter Theme
  92. Why WordPress not logout after I have close my browser?
  93. SHORTINIT and sessions
  94. User not logged first time I open the homepage
  95. Where are Sessions are being started? [closed]
  96. WordPress & PHP sessions
  97. How to limit user to login only once per session
  98. how to manage Session in WordPress using custom login?
  99. determine active user browser at the same time
  100. PHP – Having $_SESSION as an array and adding $_SESSION to array