Skip to content

fix: Wire up Device Storage Method session setting to SDK configuration #947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Flowgram wants to merge 2 commits into
base: 5.x
Choose a base branch
from
+8 −4
Open

fix: Wire up Device Storage Method session setting to SDK configuration #947

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
af05c3c
fix: Wire up "Device Storage Method" session setting to SDK configura…
Feb 24, 2026
ae080f3
Merge branch '5.x' into fix/session-storage-method
kishore7snehil Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions src/Actions/Authentication.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,10 +579,9 @@ public function onShutdown(): void
if ('false' !== $this->getPlugin()->getOption('sessions', 'rolling_sessions')) {
$store = $this->getSdk()->configuration()->getSessionStorage();

/**
* @var CookieStore $store
*/
$store->setState(true);
if ($store instanceof CookieStore) {
$store->setState(true);
}

wp_set_auth_cookie(get_current_user_id(), true);
Comment thread
kishore7snehil marked this conversation as resolved.
}
Expand Down
5 changes: 5 additions & 0 deletions src/Plugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use Auth0\SDK\Auth0;
use Auth0\SDK\Configuration\SdkConfiguration;
use Auth0\SDK\Store\SessionStore;
use Auth0\WordPress\Actions\{Authentication as AuthenticationActions, Base as Actions, Configuration as ConfigurationActions, Sync as SyncActions, Tools as ToolsActions, Updates as UpdatesActions};
use Auth0\WordPress\Cache\WpObjectCachePool;
use Auth0\WordPress\Filters\{Authentication as AuthenticationFilters, Base as Filters};
Expand Down Expand Up @@ -319,6 +320,10 @@ private function importConfiguration(): SdkConfiguration
);
}

if ('sessions' === $this->getOptionString('sessions', 'method')) {
Comment thread
kishore7snehil marked this conversation as resolved.
$sdkConfiguration->setSessionStorage(new SessionStore($sdkConfiguration, $sdkConfiguration->getSessionStorageId()));
Copy link
Copy Markdown
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SessionStore also doesn't call session_write_close() anywhere, and WordPress doesn't either. PHP sessions lock the session file for the entire request, so concurrent AJAX requests from the same user will queue up and wait for each other instead of running in parallel. Might cause noticeable slowness in the admin.

Copy link
Copy Markdown
Author

@Flowgram Flowgram Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's exactly what happens. Visiting an AJAX-heavy page in the admin causes my local environment to crash with ERR_CONNECTION_REFUSED errors, requiring a server restart. My local dev uses PHP's default file-based session handler, which is where the locking is most severe. Hosts using Redis or database-backed sessions would fare better, but it does highlight wider issues with the SessionStore approach as-is.

Copy link
Copy Markdown
Contributor

@kishore7snehil kishore7snehil Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since PHP's default file-based session handler is what most self-hosted WordPress installations use, and you've confirmed it causes server crashes on AJAX-heavy admin pages, I don't think we should ship this without at least warning admins at runtime.

Copy link
Copy Markdown
Contributor

@kishore7snehil kishore7snehil Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an admin notice when "PHP Native Sessions" is selected? Something along the lines of:

"You have selected PHP Native Sessions for Auth0 session storage. The default PHP file-based session handler can cause performance issues with concurrent requests. For production use, configure a non-blocking session handler (Redis, Memcached, or database-backed) via session.save_handler in your PHP configuration."

This way we're not blocking the feature, but we're making sure admins don't hit the locking wall without any heads-up beyond the existing generic warning.

}

if ('disable' !== $caching) {
$wpObjectCachePool = new WpObjectCachePool();
$sdkConfiguration->setTokenCache($wpObjectCachePool);
Expand Down