Maybe like this?
if ( !isset($_SESSION) ) session_set_save_handler($manager);
This is definitely something we should fix => I’m opening a bug report on the GitHub project for tracking.
Unfortunately, your proposed solution to check whether or not $_SESSION is set first will … break things. We need to set the session save handler before using the session at all in order for it to save to the right place. If your site is setting up a session before we’ve set the save handler, you won’t end up using the plugin’s custom storage in the first place.
In any case, marking this as “resolved” for now because it’s more than likely your theme (or another plugin) that’s setting the session up early. That being said, I’ll queue things up to see if we can be more defensive around setting things up moving forward.
I go this output if this helps you, thank you Eric!
FILE: /wp-content/plugins/wp-session-manager/vendor/paragonie/random_compat/lib/byte_safe_strings.php
———————————————————————————————————————————
FOUND 0 ERRORS AND 2 WARNINGS AFFECTING 2 LINES
———————————————————————————————————————————
33 | WARNING | INI directive ‘mbstring.func_overload’ is deprecated since PHP 7.2
87 | WARNING | INI directive ‘mbstring.func_overload’ is deprecated since PHP 7.2
———————————————————————————————————————————
FILE: /wp-content/plugins/wp-session-manager/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php
——————————————————————————————————————————————————
FOUND 3 ERRORS AFFECTING 1 LINE
——————————————————————————————————————————————————
60 | ERROR | Extension ‘mcrypt’ is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
60 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead
60 | ERROR | The constant “MCRYPT_DEV_URANDOM” is deprecated since PHP 7.1 and removed since PHP 7.2
——————————————————————————————————————————————————
FILE: /wp-content/plugins/wp-session-manager/vendor/defuse/php-encryption/src/Core.php
——————————————————————————————————————
FOUND 0 ERRORS AND 4 WARNINGS AFFECTING 2 LINES
——————————————————————————————————————
282 | WARNING | INI directive ‘mbstring.func_overload’ is deprecated since PHP 7.2
282 | WARNING | INI directive ‘mbstring.func_overload’ is deprecated since PHP 7.2
308 | WARNING | INI directive ‘mbstring.func_overload’ is deprecated since PHP 7.2
308 | WARNING | INI directive ‘mbstring.func_overload’ is deprecated since PHP 7.2
——————————————————————————————————————
@asantos23 This conversation was already resolved as it was fixed in a different release. <i>Next time</i> please open a separate thread so everyone can see it. That being said, let me explain a few of these …
* random_compat
This is a library that provides true random number support for older versions of PHP. On modern versions (i.e. 7+) it’s unnecessary as the random number generators are native. It’s included here as a dependency of the defuse/php-encryption library.
This is a polyfill, meaning it’s built in such a way that it’s not even used if you’re on the right version of PHP – it’s only actually loaded if you’re on old PHP and lack native support.
Note also that WordPress ships this library as part of core as well, so your site is already running it 😉
* defuse/php-encryption
This library is used to encrypt sessions at rest and provides a wrapper around common encryption functionality in PHP. If you’re not encryption sessions – though you should be – it won’t do anything.
* Deprecation warnings
These won’t break your site. They’re a consequence of the plugin supporting older versions of PHP and necessarily including libraries that provide backwards-compatibility support. I will eventually be removing them when I bump the minimum version to 7.2 … but that’s a ways out.
* Deprecation errors
These errors – the removal of the mcrypt extension as of PHP 7.2 – are known. They’re why the random-compat library is included at all. Older versions of PHP that lacked a true random number generator used mcrypt to generate random values. Modern PHP uses a native interface and the library doesn’t even try to load the extension.
In summary: static code sniffing is giving you some false positive errors here.
