Site Health Performance Issue: PHP Session Warning Linked to NinjaFirewall

  • Resolved Green

    (@yanggh)


    1 month, 3 weeks ago

    Hi NinjaFirewall Team,

    I encountered a critical warning on the Site Health page of my WordPress installation:

    An active PHP session was detected

    A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests.

    After consulting with my hosting support, they provided a list of plugins potentially using the session_start() function, which included NinjaFirewall.

    Upon deactivating NinjaFirewall, the warning disappeared from the Site Health page. This suggests that NinjaFirewall might be the source of the session_start() function triggering the warning.

    Could you confirm if there’s a setting in NinjaFirewall to disable session_start() or any related functions that may impact REST API or loopback requests? Any guidance on resolving this without deactivating the plugin would be greatly appreciated.

    Thank you for your assistance!

    Regards,
    Green Yang

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    It’s a false positive. You’ll find several discussions here on our forum about it. It’s scary but nothing to worry about: NinjaFirewall detects HTTP connections and saves the session to disk.
    I wonder why you see that message though, because NinjaFirewall is supposed to hide it. Are you using the latest version (4.7) and the latest set of security rules (NinjaFirewall > Security Rules > Check for updates now) ?
    Also, if you don’t want to use PHP session, you can configure the firewall to use its own session implementation instead ( https://blog.nintechnet.com/ninjafirewall-wp-edition-the-htninja-configuration-file/#user_session )

    Thread Starter Green

    (@yanggh)

    Hi @nintechnet ,

     Are you using the latest version (4.7) and the latest set of security rules (NinjaFirewall > Security Rules > Check for updates now) ?

    1. Yes, this warning message appears while all are updated to the latest, whether the sites are hosted on VPS hosting or managed hosting.
    2. I’ve added the code of NinjaFirewall sessions into the wp-config.php file, and it seems work on the sites in all my hosting environments.
    3. Additional feedback sharing:
      It’s interesting, I occurred some situation about the REST API when I try to do some customization to hide certain menu items of Jetpack. Then, I found out this warning doesn’t appear on the site without activated Jetpack plugin when it’s running with the PHP sessions by default.

    Is changing it to the NinjaFirewall sessions suggested and better than the default PHP session without cons? I’ll be happy to see if the additional feedback would be useful or be used to get some points further.

    Thanks,
    Green

    • This reply was modified 1 month, 3 weeks ago by Green.
    Plugin Author nintechnet

    (@nintechnet)

    I’ve added the code of NinjaFirewall sessions into the wp-config.php file

    You would need to add it to the .htnina script, not the wp-config.php, if you are running NinjaFirewall in “Full WAF” mode. If you are running NinjaFirewall in “WordPress WAF” mode, you may keep it in the wp-config.php.
    There’s no drawback to use NinjaFirewall sessions instead of PHP’s. But if you see any problem, just report them here.
    I don’t see any issue with Jetpack, but I only tested with its default settings. There’re a lot of them so it going to take some time to find out which one triggers the warning.

    Thread Starter Green

    (@yanggh)

    Hi @nintechnet ,

    Ah, thanks! I looked into the docs, but I couldn’t find out where the .htnina is, so I tried to add it to the wp-config.php. Now I realize that’s because I’m running in “WordPress WAF” and it’s good to go. Am I correct?

    On the other hand, I will report to the Jetpack team maybe with the content in this support ticket. I hope something will be discovered.

    Green

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.