Skip to content

fix: Wire up Device Storage Method session setting to SDK configuration #947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Flowgram wants to merge 1 commit into
base: 5.x
Choose a base branch
from
Open

fix: Wire up Device Storage Method session setting to SDK configuration #947

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions src/Actions/Authentication.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,10 +579,9 @@ public function onShutdown(): void
if ('false' !== $this->getPlugin()->getOption('sessions', 'rolling_sessions')) {
$store = $this->getSdk()->configuration()->getSessionStorage();

/**
* @var CookieStore $store
*/
$store->setState(true);
if ($store instanceof CookieStore) {
$store->setState(true);
}

wp_set_auth_cookie(get_current_user_id(), true);
Copy link
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instanceof guard above fixes the fatal, but this line still breaks rolling sessions for both storage methods. This needs the fix from #948 (passing the existing token) to actually work.

}
Expand Down
5 changes: 5 additions & 0 deletions src/Plugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use Auth0\SDK\Auth0;
use Auth0\SDK\Configuration\SdkConfiguration;
use Auth0\SDK\Store\SessionStore;
use Auth0\WordPress\Actions\{Authentication as AuthenticationActions, Base as Actions, Configuration as ConfigurationActions, Sync as SyncActions, Tools as ToolsActions, Updates as UpdatesActions};
use Auth0\WordPress\Cache\WpObjectCachePool;
use Auth0\WordPress\Filters\{Authentication as AuthenticationFilters, Base as Filters};
Expand Down Expand Up @@ -319,6 +320,10 @@ private function importConfiguration(): SdkConfiguration
);
}

if ('sessions' === $this->getOptionString('sessions', 'method')) {
Copy link
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we checked how this behaves on managed WordPress hosts (WP Engine, Kinsta, Pantheon etc.) SessionStore calls session_start() internally, and a lot of these hosts strip or ignore PHP session cookies at the CDN/server level. That would make SessionStore silently non-functional.

$sdkConfiguration->setSessionStorage(new SessionStore($sdkConfiguration, $sdkConfiguration->getSessionStorageId()));
Copy link
Contributor

@kishore7snehil kishore7snehil Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SessionStore also doesn't call session_write_close() anywhere, and WordPress doesn't either. PHP sessions lock the session file for the entire request, so concurrent AJAX requests from the same user will queue up and wait for each other instead of running in parallel. Might cause noticeable slowness in the admin.

}

if ('disable' !== $caching) {
$wpObjectCachePool = new WpObjectCachePool();
$sdkConfiguration->setTokenCache($wpObjectCachePool);
Expand Down