WordPress and PHP Sessions – Security and Performance

This has very little to do with wordpress, but if this answer will help eliminate the usage of session, it might be worth it….

Sessions are stored on the hard disk of the server. This is problematic in a shared hosting scenarion because the session directory is most likely readable and writable by all process running on the server, not only your site. All shared resources on a shared hosting server that do not have OS level user based protection (like directory permissions) is at least suspicious and you should not use it for anything secure or private.

lets repeat Sessions are stored on the hard disk of the server. What happen if you are running in a multi server enviroment? How will you be able to locate your session information. The only way to have it work is to tie users to specific servers which is not optimal.

And again Sessions are stored on the hard disk of the server. If you use sessions as integral part of your HTML generation it means that you can not cache your HTML.

WPEngine, is a shared hosting in a multi server enviroment that does caching by default.

As for WC, as it said in what you are quoting, they do not use php sessions, and invent their own mechanism by storing session information in the DB. This is also a problematic solution as it means that heavy traffic might bring the site down if you do not do it with extreme care (I guess in that case the session starts only when a user starts the process of buying a product). Why they do it like that and do not rely on cookies, you will have to ask them, I assume that tracking incomplete transactions is part of it, another part is that cookie information on http sites is basically public, and if you want to avoid information leakage you need to store it on the server.

What is adviced in your case? this will be hard to say without more details, but probably you should work to eliminate the use of anything which feels like a session. HTTP was not designed to have sessions, and it is best not to fight this fact of life.

Related Posts:

  1. How to store username and password to API in wordpress option DB?
  2. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  3. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  4. Nonces can be reused multiple times? Bug / Security issue?
  5. Can someone explain what wp_session_tokens are, and what are they used for?
  6. What is the difference between esc_html and wp_filter_nohtml_kses?
  7. How should you hook a session_start() when authoring a plugin?
  8. Does using set_transient() function can lead to MySQL problems?
  9. Nonce in settings API with tabbed navigation
  10. Log in from one wordpress website to another wordpress website
  11. Escaping built-in WP function return strings
  12. What is the difference between strip_tags and wp_filter_nohtml_kses?
  13. WP Cron doesn’t save or in post body
  14. Sessions not creating correctly in custom function
  15. WordPress restrict plugin file direct access
  16. Plugin development: is adding empty index.php files necessary?
  17. Confusion on WP Nonce usage in my Plugin
  18. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  19. Correct way check nonce (security) using old Options API
  20. Why do I need to check if wp_nonce_field() exists before using it
  21. Is there any way to check for user login and send him to login?
  22. WordPress security issue to output data from user input from theme option form
  23. External Authentication, session_tokens not destroyed on logout
  24. Verify if user is wordpress logged in from another app since wordpress 4.0
  25. Secure Pages Best Practice
  26. Securing/Escaping Output of file content – reading via fread() in PHP
  27. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  28. Video Security just like facebook [closed]
  29. captcha not working in my custom plugin
  30. Is disabling test_form in wp_handle_upload a security concern?
  31. How to connect my wordpress plugin to a remote database securely?
  32. wp_nonce_field displaying twice
  33. Is it necessary to do validation again when retrieving data from database?
  34. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  35. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  36. add_submenu_page hooked function must explicitly check user capabilities – why?
  37. Displaying “One Time” Notification in Plugins
  38. Are there any security risks when submitting data-attribute data through AJAX?
  39. Why would you use esc_attr() on internal functions?
  40. Updating transient value frequently
  41. Is it possible to use WP-CLI in a plugin (or theme)?
  42. Secruity Questions on a timer
  43. Using HTML links within translatable string
  44. How can I save a password securely as a settings field
  45. Using password protection to load different page elements?
  46. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  47. How to store sensitive user data (passwords)
  48. How do I make secure API calls from my WordPress plugin?
  49. esc_attr() on hard coded string
  50. how to add security questions on wp-registration page and validate it
  51. $_SESSION inside php function executed by AJAX
  52. Experts opinions needed: How (in)secure is this approach?
  53. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  54. How to create session for user which is not an admin user
  55. Sessions in plugin development?
  56. Data Validation, dynamically generated fields (select for example)
  57. Create a Custom Login System in WordPress [closed]
  58. esc_url, esc_url_raw or sanitize_url?
  59. How can I update a wordpress plugin from a Git repository (github)
  60. Is There a Plugin Life Cycle Documentation?
  61. What is an alternative method to the WordPress private _doing_it_wrong() function
  62. Admin settings update updating every time home page is hit?
  63. How to prevent newline from appearing in shortcode?
  64. How to catch images with blank dimensions?
  65. Conflicting save_post functions when passing the post id and saving custom meta boxes for different post types
  66. Dynamically override page.php or single.php with custom templates using function
  67. How to get an image transferred via FTP or script to appear in Media Manager?
  68. Does settings API create settings on run time?
  69. wordpress 3.0 json issue
  70. How to extend expiry time of jwt wordpress token?
  71. $content variable – Is this a reserved variable for a WordPress function? – php / wordpress
  72. Applying OO patterns and principles to plugin development
  73. How to schedule a cron job in plugin without waiting for page load request?
  74. Replace youtube embed in wordpress
  75. How developed with version control word press site on shared host? [closed]
  76. Admin – Handle data before creating or updating a post, page or custom post
  77. wp_redirect on base wp-admin and login
  78. Valid filenames for add_action’s first parameter
  79. What to hook into to check a value before a post is published?
  80. Correct syntax for database inserts from plugin?
  81. How to add a gradient component to a custom block
  82. wp_schedule_event() set daily, but processed every second
  83. $wpdb->update() always need a second try
  84. Why aren’t some plugin styles loading when I load a template?
  85. Pagination not working with custom wp_query
  86. WordPress actions for plugin admin UI page
  87. wp_insert_user keeps echoing values
  88. Pause plugin option page until all data manipulation is complete
  89. howTo let wordpress endpoint return html-page
  90. User meta query using Wildcard
  91. wp_ajax add_action fuction won’t fire on custom jQuery action
  92. Dedicated server and WPDB Class : huge slow-down of the website
  93. How can I see a varibles value when my plugin runs?
  94. Add Button to TinyMCE Custom Menu
  95. WordPress plugin: admin-ajax.php not passing data to custom function
  96. Create pages for authors
  97. How do I create Widget within plugin that uses its own class?
  98. How to design WooCommerce-like admin tabs for plugin settings page?
  99. Woocommerce: block user removing cart item
  100. How can I dynamically change title and description in WordPress?

Leave a Comment