You will need to use the authenticate filter:
https://codex.wordpress.org/Plugin_API/Filter_Reference/authenticate
add_filter( 'authenticate', 'myplugin_auth_signon', 30, 3 );
function myplugin_auth_signon( $user, $username, $password ) {
return $user;
}
Return a WP_Error object to indicate failure or an issue, or a WP_User object on success.
There are also 2 core functions hooked into that filter that will need removing named wp_authenticate_username_password and wp_authenticate_spam_check, these will need removing via the remove_filter function.
Once this is done, WordPress will rely on your own Auth system.
Caveats:
- You will need to create and update WordPress users to match yours on login and when they’re updated. A lot of code relies on the user table and the assumption of user meta, but you can set that meta and those users based on your database. Eliminating the user table entirely is not feasible
- You’ll be using WordPress’ cookie based session system
- If you want PHP sessions, that’s an entirely new problem. WordPress doesn’t use PHP sessions, and you’ll have to write all of that code yourself. Keep in mind that PHP sessions don’t behave well on a lot of managed hosts, and most plugins and themes don’t use or respect them either. I do not see what advantages you would gain unless you have another system that depends on sessions