The wp_signon function is probably working exactly as it is supposed to. What you’re missing is that that other methods of authentication exist, like the browser cookies, and wp_signon will check those too. Is your browser sending your WordPress authentication cookies to your script?
The bottom line is that you should not be using wp_signon here, or realistically, anywhere. See, the wp_signon function performs the entire authentication stack, not just a simple username and password check. People can authenticate in ways other than providing a username and password, and wp_signon will check them all, including methods added by plugins and anything else that hooks to the authenticate filter.
The wp_signon function is intended for actually authenticating to WordPress itself, not to your script. You’re using the wrong function for your purpose.
If you simply want to check a username and password, use the wp_authenticate_username_password function instead.
Basically, the entire notion of “signing in a user” doesn’t actually make any sense from a PHP script standpoint. You can verify a user’s credentials and then simply do wp_set_current_user to become that user, but the code can really be any user it wants to be. You can call wp_set_current_user to “become” any user, without any credentials at all. A custom PHP script has total access to start with.
So, really, there’s never any need to call wp_signon unless you’re wanting to a) authenticate and then b) send back authentication cookies to the users browser. If you’re not actively talking to a user’s browser to authenticate that browser to WordPress via cookies, then you don’t need to be doing wp_signon, ever.
If you need to verify a user’s credentials from somewhere else, then there are many functions to do that. You can verify those credentials using whatever means you like and then wp_set_current_user to become that user for this particular session only. If you want to log them in on a more permanent basis, that is possible too by sending them authentication cookies, but you’d probably want to do that more directly, not through wp_signon. And even then, if that’s what you’re doing, then a far simpler approach would be to simply create a new authentication function that returns a valid WP_User based on your check, and hook it to the authenticate filter. Then your custom code for authentication becomes much simpler indeed.
So, define what you’re doing. Then people can give you the best way to do it. That best way will never really involve calling wp_signon yourself, ever. 🙂