Session variables in WordPress


For three days I had nearly despaired when I tried to extend a WordPress site with a self-written login script. Everything worked properly on my local server, but as soon as I had uploaded it, the session variables didn’t seem to be passed any more: after the login, I stayed logged in for only one more click and then got logged out again.

After several unsuccessful Google searches (with the wisdom of hindsight it’s quite easy to google, but try and find something about this issue without reading any further than this) I found the reason at last, namely the function wp_unregister_GLOBALS() inside the file wp-settings.php. Here it is:

function wp_unregister_GLOBALS() {
    if ( !ini_get('register_globals') )
        return;

    if ( isset($_REQUEST['GLOBALS']) )
        die('GLOBALS overwrite attempt detected');

    // Variables that shouldn't be unset
    $noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix');

    $input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
        foreach ( $input as $k => $v )
            if ( !in_array($k, $noUnset) && isset($GLOBALS[$k]) ) {
                $GLOBALS[$k] = NULL;
                unset($GLOBALS[$k]);
            }
}

What does this function do?

  • Line 27/28:
    If register_globals is not activated in the PHP settings of the web server, it won’t do anything at all (which explains the different behaviours of my script on my local and the live server). If, however, register_globals is active, it proceeds as follows:
    • Line 34:
      As the comment already says, all global variables listed here will not be reset. As you can see, $_SESSION is not being mentioned!
    • Line 36-41:
      Now, all global variables are being shifted and deleted one by one.

In short: If register_globals is activated, $_SESSION will be deleted on every single page view. No surprise that we can’t get at our session variables any more!

What’s it all about?

Well, for one thing, WordPress assumes that it’s meant to take care of the complete site – after all it is some kind of content management system. And that includes the administration of all variables as well.

What’s much more important though, is the fact, that the use of register_globals has been deprecated for a long time and the feature will even be completely removed in PHP 6. Today, it is strongly recommended not to use these kind of variables, because they involve safety hazards. So, WordPress is obviously trying to imitate the behaviour of a deactivated register_globals in order to ensure safety and avoid potential variable conflicts.

Remedy

After having solved this riddle, the solution was perfectly obvious: I have to deactivate register_globals on the web server, so WordPress wouldn’t even need to execute that stupid function. For this purpose, simply place a text file called php.ini inside your WordPress directory, containing the following line:

register_globals Off

Further information on the subject can be found on php.net:


73 responses to “Session variables in WordPress”

  1. You’re right, this can vary from host to host: Sometimes you have to upload a php.ini as described, sometimes you can do it in .htaccess as you just said, and sometimes there’s a checkbox in the Admin panel where you can turn off register_globals. :)

  2. Oh – well, yes, I thought it was somewhat self-evident that you have to put session_start() somewhere before you can start working with sessions. :) My solution was especially for those cases when session_start() has already been added to a WP file like wp-config.php, and it still doesn’t work.

    But you are right, I should have mentioned that. Thanks for the link, it’s a good guide.

  3. Hi all! I am developing a theme for commercial use and require sessions to run to add some functionality that is needed.
    At the moment wp_unregister_GLOBALS() seem to be a great problem for me, since modifying wp-setting.php manually is not an option. Has anyone got any ideas on how to add SESSIONS global variable to a $noUnset list, by coding only inside my theme folder? Or maybe desable wp_unregister_GLOBALS()? Or perhaps deactivate register_globals in php setting file of the server? But remember I am limited to doing that by code only from inside my theme folder. Any advise on this will be much appreciated, I’ve been trying to find a solution for a week now and getting very frastrated at wordpress…
    Cheers
    Max

  4. The cleanest and most logical solution is, as I wrote, to disable register_globals. You could try to add a php.ini with register_globals Off to your theme folder, but it’s not granted that it will work from there, and certainly not on every server, because the way PHP ini values are set vary a lot depending on the host. (Some use a php.ini file, others only allow these settings to be changed from an admin panel, etc.)

    Another idea I have right now is: Perhaps you could override wp_unregister_GLOBALS() in your functions.php using override_function(). Just replace it with an empty function. Actually, that’s a pretty neat idea I just had there! Tell me how it worked out. ;)

  5. Thanks so much for your help =)) Interesting tho the register_globals is set to off in my godaddy server configuration, but it is php version 5.2.5, not the 5.3 that I have on my local host. The sessions work flowlessly on the local host with php5.3, but they don’t work at all on the web- the sessions start, but die with page refresh, so even a simple counter wouldn’t work.
    The override_function made my blog die by a horrible deph, but I am researching into the metter now- simse that wordpress does have similar things that let you override they core functions- remove_action and remove_filter functions. I will let you know if I find a solution. Thanks very much again for taking your time to help =))

  6. I’ve commented out the call to wp_unregister_GLOBALS()- in the online version it didn’t have a body to it in wp-settings, just a call for it. And guess what- nothing happend as I suspekted, since register_globals were off in both of my server configurations. I register sessions function in functions.php, have add_action(‘init’, ‘f_name’) and do a session start inside the body. On my local server it worked anyway I did it- even with session start in the top of the header… But as soon as I upload code online- sessions die horribly. I think I am at give up stage, I’ve searched alto for a week, tryed everething. Time to move on and try and achieve the same with cookies, just set it to not display anything if the cookies are off. And do some checks perhaps to see if the cookie code has been modified….

  7. That sounds really strange. Have you tried to put session_start() into to a very early-loading file? For example, I like to put it at the very bottom of my wp-config.php, and I’ve never had any problems with that.

  8. I’m in the same boat as Max who commented on 25 July 2010. I have session_start() at the top of wp_config. I tried the php.ini in the same directory as wp_settings. I then did surgery on the wp_unregister_globals function in wp_settings with some //’s and it seemed to work for a while, but then returned to some strange behavior once again.

    For example, my $_SESSION[‘test’] was unset in php script unrelated to WordPress, but the pages on WordPress still register the value of $_SESSION[‘test’]–and even seem to insert some values of its own. All other non-Wordpress scripts show nothing for the variable during all this.

    If I figure out a solution for this I’ll leave another comment heh.

Leave a Reply

Your email address will not be published. Required fields are marked *