I am trying to identify the elements that WP uses to track that a user is logged in at any given time.
(1) I know WP sets a COOKIE
for tracking
Does anyone know if WordPress also sets a _SESSION
variable as well?
Does anyone know if WordPress records login status in a DB Table
as well?
Is there anything else WP uses to track a user as being logged-in?
Thanks
Before core version 4.0 the authentication depended only on cookies.
Starting with 4.0 core introduced its own sessions (WP_Session_Tokens
) to better handle security things. Note that these are not PHP sessions, they are implemented purely by WordPress and use user meta as storage.
Unfortunately I don’t think there is any clear documentation for this feature. From quick search it was discussed and implemented in ticket #20276 Tie nonces and cookies to expirable sessions.