Truth be told. One day it just dawned on me that WordPress does not use session at all, none. How does it know whether a user is an anonymous visitor or someone who has previously logged in? It uses cookies. If I remember correctly, it uses a number of cookies: one for the admin backend, and one for the front end, and perhaps there is another for secure connections, about which I am not quite sure at this point. But anyway, all these cookies have an expiry time, so as long as these cookies are not expired, WordPress will treat you as having authenticated.

Why was I mulling over the session thing with WordPress? It’s because I was implementing a Single Sign On (SSO) solution from our corporate portal to an external WordPress-powered site. I was snagged at one point where the SSO processes works well as expected – if you have an account with WordPress it will identify who you are, and if you don’t have an account on the system, it will create one based on the information passed through the SSO post. And everything works, and you click the SSO link and will land on the dashboard page of the site without a problem, and you can navigate around the backend – no problem. But as soon as you click the site link or logo on the top left of the window, I was immediately brought to the login page. At first I was thinking that the session somehow died. Later, I discovered, through observing the HTTP conversation, that the link causes a request for a slightly different domain. Then I realized cookies are tied to domains, the previously valid cookies are no longer valid when the domain changed slightly from to When I changed the home link, the problem is resolved.

My realization after this is that WordPress does not use session at all. No session was created and no session dies. It’s just the cookies; cookies are created; cookies get validated; cookies are invalidated for a number of reasons: time elapsed, domain change or user-triggered cookie deletion, and may be more.

I later checked online resources to corroborate my theory, and it is true. Here are a few articles related to the topic that I found interesting and read:

  • Digg
  • StumbleUpon
  • Sphinn
  • Facebook
  • Mixx
  • Google Bookmarks
  • Haohao
  • LinkedIn
  • Live
  • MyShare
  • MySpace
  • Reddit
  • Technorati
  • TwitThis

Related posts:

  1. New Discovery about WordPress: external html pages and assets
  2. Hosting Can Make a Whole Lot of Diference to WordPress Blog Security
  3. Creating a Clone of a WordPress Website
  4. Search for a WordPress Plugin to Make A Private Blog
  5. Finding a Twitter Plugin for WordPress Blog

Tags: , , ,

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">