Problem Summary:
I’m building a WordPress plugin for a multi-user parent portal. Parents log in and edit forms for their children.
Each parent only has one child, and users are never supposed to see each other’s data.
BUT: When concurrent users are logged in on different machines (different IPs, different browsers), something strange happens:
The “Currently managing: {child name}” message switches names depending on which user accessed a tab most recently.
This happens even when:
- Users are logged in separately, not reusing browsers
- They each have different credentials
- They each only have one child
- Sessions are intended to be separate
Suspected Root Cause
We store the active child ID in a session variable like this:
$_SESSION['current_child_id'] = $user->{"Serial no."};
And use that to determine which student name to display:
$child_id = $_SESSION['current_child_id'];
$child = $wpdb->get_row("SELECT * FROM gsp25 WHERE `Serial no.` = '$child_id'");
echo "Currently managing: " . $child->{"Name of student"};
We use session_start() consistently in all functions.
The Issue
Even though each user logs in on a different machine, one user’s session variable seems to overwrite another’s.
There’s no shared login or intentional impersonation — just unexpected session data bleeding across users.
What We’ve Tried
- Using session_start() with no session_name() (just default PHPSESSID)
- Ensuring no output before session starts
- Confirming that session IDs are different across users
- Setting the child ID once on login
- Logging to debug.log shows each user has a different session_id()
What We Need Help With
- What else could cause cross-user $_SESSION variable leakage?
- Could WordPress, a plugin, or a server-side misconfiguration (e.g. shared
session storage) cause this? - Is there a better way to isolate each user’s context than relying on PHP sessions?
Session Init Code
This is at the top of every handler function that touches $_SESSION:
if (!session_id()) session_start();
We do not use session_name() anymore. We rely entirely on PHP’s default PHPSESSID cookie.
Where We Set Session State (on login):
$_SESSION['parent_logged_in'] = true;
$_SESSION['parent_email'] = $parent_email;
$_SESSION['current_child_id'] = $user->{"Serial no."};
Server Setup:
I do not know much about this, other than that this is a custom plugin on a website hosted at wordpress.com, using tables from a wp database.
We’ve verified that each user gets a unique session_id() via session_id()
Thank you experts, and appreciate your help with this.