Major Issue with your Plugin

Hmmm. The session vars are really only used for the PayPal Express gateway since that’s a good way to store info while users are at PayPal. It’s also used by some of our addons.

I can add a filter to skip the session setup for users who need to do that.

Jason, please take a look at the paid-memberships-pro file – session_start literally initializes with the plugin, at the very beginning. This is very bad practice and coding. If your intent is to only initialize sessions for PayPal express, then you should not start sessions with the plugin.

Because of this, every single person who gets your plugin installed literally kills any kind of caching. When a session is pushed at the start of the front page, no caching engine will ever work – even Cloudflare will have zero efficiency as the frontend proxy.

Please fix the code – you can simply look for session_start throughout your code base and remove it.

Thanks for the feedback. We have our reasons for how it’s setup. I’m open to discussion or pull requests at github.com/strangerstudios/paid-memberships-pro/. If you can stomach using PMPro, the v1.8.12.1 update going out contains a check to skip session setup.

https://github.com/strangerstudios/paid-memberships-pro/commit/bae5e4e41911fe367352b420cb179b4980a89bf4

To disable that code then add this to your wp-config.php:

define('PMPRO_USE_SESSIONS', false);

FYI here is some info RE caching with PMPro if you haven’t run into it yet: https://www.paidmembershipspro.com/documentation/using-caching-plugins-paid-memberships-pro/

James, thanks for taking care of this issue so quickly and pushing out the updates.

While the temporary fix of defining not to use sessions works for now, I would encourage you to update the code so that the session_start directive takes place right before you start working with sessions, within the PayPal express code. This way, sessions are never touched in the first place, unless PayPal is used.

Now the current issue with the plugin still remains for those who don’t know about this particular workaround – the default behavior will always kill caching as it stands, which is not good. The default behavior of any plugin should never be to start sessions – please refer to WordPress documentation, which clearly states that WordPress does not use sessions and instead relies on cookies for storing any temporary or session data.

Try this yourself – on any install of PM Pro, try to grab the front page of the WordPress blog using curl. For example: curl -I https://blogname.com. You will see that with your plugin enabled, curl will return a PHPSESSID header, which is the indication of a session start. With such behavior, try to put this website behind a reverse proxy (say Cloudflare) and see that it will not do anything, since the pages will never be cached. Cache will always return “miss” for session-enabled pages.

I suggest we build a better world with not initializing sessions in plugins, unless one is in the process of checking out via a gateway such as PayPal.

Hope it makes sense – I am sure many of your current plugin users would appreciate such a change.

Sincerely,
Nasim