Using Sessions to Filter Posts – bad thing?

As far as their use within WordPress, there is no native method to use $_SESSION. This means it is entirely on you to mitigate any security issues this presents.

Other problems depend on how your session data is saved. One problem I’m aware of is when the allocated memory for memcache is reached, it will drop the least recently used objects to make room for new ones1. But then, this also shouldn’t a problem for $_SESSION if you can allocate the appropriate amount of memory to support your site’s level of traffic.

WordPress has an API for transients where the data is stored in the database unless a caching plugin is used (I believe this is ultimately determined by wp_using_ext_object_cache2). When stored in the database, the loss of least recently used data shouldn’t be an issue with transients. There may be advantages and disadvantages to this (database vs fast memory), but I just wanted to demonstrate an example of WordPress’s native stateless design solution to storing temporary data. This problem would have to be solved on the server side, outside of WordPress if it should arise while using $_SESSION.

There are performance advantages/disadvantages depending on whether session is saved in hard disk files, RAM, database or other. These relate more to how the server is set up than the use of $_SESSION in WordPress though, since WordPress is essentially blind to the use of $_SESSION.

WP Engine has posted a good outline for why they don’t recommend the use of $_SESSION with WordPress3, which I’ve posted below. Some of these are more applicable to how the server is set up, but take a look and decide how they might affect your site and if you think $_SESSION is a good solution for you. As I said, WordPress is blind to the use of $_SESSION, it’s not handled natively, which leaves this open to the broader scope debate of whether it should be used in your PHP code at all.

PHP Sessions
We do not currently recommend using $_SESSION variables
at all. This is for a number of reasons:

  1. While WordPress itself supports the use of $_SESSION, WordPress is stateless and does not natively use $_SESSION. The proper way to work
    with WordPress is using cookies.

  2. There are a number of security concerns when using $_SESSION.:

    • Session Poisoning
      • The attacker first visits the victim’s page, and e.g. logs on. Attacker then uploads a PHP script to his account, and has it display
        context of $_SESSION (set by victim script).
      • Attacker determines which variable needs to be changed, uploads a script which sets this variable, executes it.
      • Attacker visits victim pages to see if anticipated exploit worked.
      • This attack only requires that victim and attacker share the same PHP server.
      • The attack is not dependent on victim and attacker having the same virtual hostname, as it is trivial for attacker to move the
        session identifier cookie from one cookie domain to another.

    • Session Fixation (on shared servers) For more information, see these two links:

    • Session ID hijacking can be a problem with PHP Websites. The PHP session tracking component uses a unique ID for each user’s session,
      but if this ID is known to another user, that person can hijack the
      user’s session and see information that should be confidential.
      Session ID hijacking cannot completely be prevented; you should know
      the risks so you can mitigate them. Depending on what plan you’re on
      with us, your site may run on a shared Web server. Be aware that any
      session variables can easily be viewed by any other users on the same
      server. Generally, the best way to mitigate this vulnerability by
      storing all sensitive data in a database record that’s keyed to the
      session ID rather than as a session variable. Non-sensitive data can
      be stored in cookies.

  3. For our customers who are set up on clusters, we would have to completely change how our load balancers work, just to make sure that
    $_SESSION variables were available between different servers.

Related Posts:

  1. Sticky Posts exceed posts per page limit
  2. Theres a way to use $query->set(‘tax_query’ in pre_get_posts filter?
  3. Modify Taxonomy pages to exclude items in child taxonomies
  4. Prevent pre_get_posts filter on specific post type
  5. Obliterate the main query and replace it
  6. Post injection – how to exclude the original post
  7. Adding meta_key via pre_get_posts causes navigation to disappear
  8. Archive Listings Filtered by Date Values in a Custom Field/Post Meta?
  9. Sorting posts that has a meta value first then the rest of the posts
  10. pre_get_posts on a page
  11. How pre_get_posts filter by roles in WP Admin
  12. Weird problem with pre_get_posts and $query->is_page()
  13. Why is ‘pre_get_posts’ having no effect?
  14. Sessions not creating correctly in custom function
  15. Date Query to Pull Current and Future Posts
  16. pre_get_posts all posts and custom post type with certain tag
  17. pre_get_posts and the blog page
  18. Archive by custom post type and custom date field
  19. pre_get_post filter returns results when there should not be
  20. Trying to exclude first 5 posts from the first page on the homepage
  21. pre_get_posts filter using numeric meta_query comparison (from dates)
  22. Exclude a WordPress post from pre_get_posts if a field is null
  23. Why the ‘date_query’ is not working in ‘pre_get_posts’ hook?
  24. Only show certain post types in recent posts widget
  25. pre_get_posts for exclude category
  26. Custom search for custom post meta with pre_get_posts interferes with WP search
  27. pre_get_posts: using tax_query only for certain post type
  28. pre_get_posts dont firing… Anybody knows whats the wrong with my code?
  29. Restrict Search Query To After Specific Date
  30. WP_Error not displaying errors
  31. Show all posts even if URL points to a single one
  32. How to achieve post_status__not_in?
  33. Ordering by meta_key
  34. Custom post type search using $_SESSION and pre_get_posts
  35. Using a pre_get_posts filter to search for multiple strings on all meta values
  36. Removing taxonomy query by pre_get_posts
  37. How Can I Move Data From Form 1 To Form 2
  38. Login/Logout Session Sharing – Multiple WordPress Installations
  39. Using different parameters for different queries with pre get posts in functions.php
  40. how to restrict posts_request filter to the main query only
  41. Automatically applying a pre_get_posts filter for child categories only
  42. How to override a query and display specific page by ID?
  43. pre_get_posts variables
  44. Another query in pre_get_post cause memory issue
  45. pre_get_posts having no effect on my category archive
  46. pre_get_posts returns non property object when using posts__not_in
  47. Override tax_query with pre_get_posts to include other term_ids on a single category
  48. $query->is_main_query() is causing query’s tax_query to be ignored
  49. Menu disappears when meta_key changed [closed]
  50. pre_get_posts with multiple queries
  51. Custom Post Limit for homepage only without plugin?
  52. How to show the last and newest modified post in a custom category?
  53. Altering the main query using get_post_meta() in pre_get_posts
  54. Why query by specific date with variables doesn’t return same result that with harcoded integers?
  55. Sort WordPress Archive by multiple oderby arguments in pre_get_posts action
  56. Exclude post type with pre_get_posts?
  57. Exclude page by title for non admins
  58. problem with setting tax_query in pre_get_posts
  59. Problem ID to exclude specific posts from category
  60. Modify Taxonomy pages to exclude items in child taxonomies
  61. Modify author archive query to combine two queries
  62. Woocomerce – Order products by float attribute in archive pages
  63. Change post order on archive to be displayed by most commented being ignored by theme
  64. Complex query using pre_get_posts
  65. Super confusing ‘pre_get_posts’ behavior with $query->set
  66. Having trouble with settings terms as array in pre_get_posts
  67. Override main query for page template
  68. Querying custom taxonomy on category-specific page is overwritten by function
  69. how to get content from other site and show it?
  70. Insert a variable in pre_get_posts
  71. Extend taxonomy term page with other posts
  72. Set a custom number of posts on the first page
  73. Pre_Get_Posts order DESC not registering
  74. Using pre_get_posts to filter by custom fields while using static front page
  75. Why does this query not SELECT post IDs like a normal query would?
  76. Please ensure me that I’m not crazy using the pre_get_posts [closed]
  77. How to pass >= condition filter to my year custom tax_query
  78. how to manage Session in WordPress using custom login?
  79. What is the proper way to use pre_get_post?
  80. pre_get_posts has php notice when not on CPT archive
  81. Duplicating event posts in wordpress
  82. How to use PanelColorSettings in custom Gutenberg block?
  83. How to delete the Hello Dolly plugin automatically?
  84. Posts not showing with custom categorybase and subcategories [closed]
  85. Gutenberg Blocks – Attributes from comment delimiter or from HTML?
  86. Getting Post details when post is published
  87. How to structure a site with product variations pages?
  88. Advanced Custom Fields: Sorting custom columns with custom fields sorts only by date
  89. Accessing data from a non-WP database/table within a page content
  90. How do I add a promotional message to my posts?
  91. Modify post filter to set custom number of posts per page and exclude child posts
  92. Customize rel=canonical tag for single blog post
  93. WooCommerce: One term for Many Product Attributes
  94. Divi: how to hide/show specific menu according current page?
  95. “woocommerce_form_field()” function having issues after latest woocommerce update [closed]
  96. unregister a sidebar widget
  97. Multiple values in WP_Query : category__and
  98. how to auto fille conatct form 7 when user is logined
  99. Customizer API way function is_customize_preview() works only in main page?
  100. Woocommerce send custom email receipt based on product attribute

Leave a Comment