Skip to content

fix: Wire up Device Storage Method session setting to SDK configuration #947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Flowgram wants to merge 1 commit into
base: 5.x
Choose a base branch
from
Open

fix: Wire up Device Storage Method session setting to SDK configuration #947

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions src/Actions/Authentication.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,10 +579,9 @@ public function onShutdown(): void
if ('false' !== $this->getPlugin()->getOption('sessions', 'rolling_sessions')) {
$store = $this->getSdk()->configuration()->getSessionStorage();

/**
* @var CookieStore $store
*/
$store->setState(true);
if ($store instanceof CookieStore) {
$store->setState(true);
}

wp_set_auth_cookie(get_current_user_id(), true);
Copy link
Copy Markdown
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instanceof guard above fixes the fatal, but this line still breaks rolling sessions for both storage methods. This needs the fix from #948 (passing the existing token) to actually work.

Copy link
Copy Markdown
Author

@Flowgram Flowgram Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, the wp_set_auth_cookie() nonce rotation issue is real and affects both storage methods. However, that's a pre-existing bug on the current codebase (tracked in #934), not something introduced by this PR. The scope here is specifically wiring up the dead session storage setting. Happy to see #948 addressing the rolling sessions fix separately.

}
Expand Down
5 changes: 5 additions & 0 deletions src/Plugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use Auth0\SDK\Auth0;
use Auth0\SDK\Configuration\SdkConfiguration;
use Auth0\SDK\Store\SessionStore;
use Auth0\WordPress\Actions\{Authentication as AuthenticationActions, Base as Actions, Configuration as ConfigurationActions, Sync as SyncActions, Tools as ToolsActions, Updates as UpdatesActions};
use Auth0\WordPress\Cache\WpObjectCachePool;
use Auth0\WordPress\Filters\{Authentication as AuthenticationFilters, Base as Filters};
Expand Down Expand Up @@ -319,6 +320,10 @@ private function importConfiguration(): SdkConfiguration
);
}

if ('sessions' === $this->getOptionString('sessions', 'method')) {
Copy link
Copy Markdown
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we checked how this behaves on managed WordPress hosts (WP Engine, Kinsta, Pantheon etc.) SessionStore calls session_start() internally, and a lot of these hosts strip or ignore PHP session cookies at the CDN/server level. That would make SessionStore silently non-functional.

Copy link
Copy Markdown
Author

@Flowgram Flowgram Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Valid point, but the plugin already presents this option in the UI with a warning: "PHP Sessions require external configuration to work securely and reliably." This PR just makes that existing UI choice functional, admins choosing it should already be aware of their hosting constraints.

Worth noting that the plugin UI actually labels this option "PHP Native Sessions (Recommended)", so there's arguably a broader question about whether that recommendation is appropriate given these hosting caveats.

$sdkConfiguration->setSessionStorage(new SessionStore($sdkConfiguration, $sdkConfiguration->getSessionStorageId()));
Copy link
Copy Markdown
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SessionStore also doesn't call session_write_close() anywhere, and WordPress doesn't either. PHP sessions lock the session file for the entire request, so concurrent AJAX requests from the same user will queue up and wait for each other instead of running in parallel. Might cause noticeable slowness in the admin.

Copy link
Copy Markdown
Author

@Flowgram Flowgram Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's exactly what happens. Visiting an AJAX-heavy page in the admin causes my local environment to crash with ERR_CONNECTION_REFUSED errors, requiring a server restart. My local dev uses PHP's default file-based session handler, which is where the locking is most severe. Hosts using Redis or database-backed sessions would fare better, but it does highlight wider issues with the SessionStore approach as-is.

}

if ('disable' !== $caching) {
$wpObjectCachePool = new WpObjectCachePool();
$sdkConfiguration->setTokenCache($wpObjectCachePool);
Expand Down