For three days I had nearly despaired when I tried to extend a WordPress site with a self-written login script. Everything worked properly on my local server, but as soon as I had uploaded it, the session variables didn’t seem to be passed any more: after the login, I stayed logged in for only one more click and then got logged out again.
After several unsuccessful Google searches (with the wisdom of hindsight it’s quite easy to google, but try and find something about this issue without reading any further than this) I found the reason at last, namely the function wp_unregister_GLOBALS() inside the file wp-settings.php. Here it is:
function wp_unregister_GLOBALS() {
if ( !ini_get('register_globals') )
return;
if ( isset($_REQUEST['GLOBALS']) )
die('GLOBALS overwrite attempt detected');
// Variables that shouldn't be unset
$noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix');
$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
foreach ( $input as $k => $v )
if ( !in_array($k, $noUnset) && isset($GLOBALS[$k]) ) {
$GLOBALS[$k] = NULL;
unset($GLOBALS[$k]);
}
}
What does this function do?
- Line 27/28:
Ifregister_globalsis not activated in the PHP settings of the web server, it won’t do anything at all (which explains the different behaviours of my script on my local and the live server). If, however,register_globalsis active, it proceeds as follows:- Line 34:
As the comment already says, all global variables listed here will not be reset. As you can see,$_SESSIONis not being mentioned! - Line 36-41:
Now, all global variables are being shifted and deleted one by one.
- Line 34:
In short: If register_globals is activated, $_SESSION will be deleted on every single page view. No surprise that we can’t get at our session variables any more!
What’s it all about?
Well, for one thing, WordPress assumes that it’s meant to take care of the complete site – after all it is some kind of content management system. And that includes the administration of all variables as well.
What’s much more important though, is the fact, that the use of register_globals has been deprecated for a long time and the feature will even be completely removed in PHP 6. Today, it is strongly recommended not to use these kind of variables, because they involve safety hazards. So, WordPress is obviously trying to imitate the behaviour of a deactivated register_globals in order to ensure safety and avoid potential variable conflicts.
Remedy
After having solved this riddle, the solution was perfectly obvious: I have to deactivate register_globals on the web server, so WordPress wouldn’t even need to execute that stupid function. For this purpose, simply place a text file called php.ini inside your WordPress directory, containing the following line:
register_globals Off
Further information on the subject can be found on php.net:
73 responses to “Session variables in WordPress”
Hi,
I done same thing as you suggested.i set register globlas off in php.ini.but i am still facing problem.
i also add _SESSION in $noUnset array but not getting session on next page
please help it’s urgent
It’s hard to tell what the problem is without seeing the code – what file do you want use the session variables in? Maybe you could post a piece of your code (for example on http://pastebin.com/ ) and give me the link.
Hi,
First Thanks for Reply,
i had post my code
http://pastebin.com/m13b796ac
in that main.php contain my header and end.php contain footer
Is it the logout that doesn’t work? Because first you named the variable
$_SESSION['parent_id']and later at the logout, you wrote$_SESSION['parents_id'](with s!).No,
when once i store parent id in session,when i print session on top of file at that time i am getting blank session array
And did you put
session_start();somewhere? I think WordPress doesn’t do that by itself, so you need to start the session yourself.No,i did not put session_start().can u tell me in which file i put session_start()?b’coz when i put it in wp_load.php file it give “header already sent” warning…
I think it’s best to use one of the files that are included earliest by WordPress, like index.php, wp-blog-header.php or wp-load.php. (I’m not sure why it doesn’t work in wp-load.php for you.) I would simply put it in the index.php. :)
Hi,
if i am putting session_start() in wp_load.php or index.php or in my custom script,it gives me “Header already sent” warning
Even in the main WordPress index.php file?!? The one where it says
define('WP_USE_THEMES', true);etc.? Thesession_start()must be the very first line, there mustn’t be any blank spaces or anything before it. So your index.php should start with:<?php session_start() ...