[SITE-5417] Session handler not working under Pantheon PHP Runtime Generation 2

[figureone]

Aloha, plugin developer here, fielding a report from a Pantheon user who noted that sessions were no longer working after upgrading to PHP Runtime Generation 2.

We've done some debugging and confirmed that native sessions (e.g., /var/lib/php/sessions/) are still trying to be written to the read-only filesystem, even after this plugin is successfully running in mu-plugins.

After activating this plugin, we've confirmed that the wp_pantheon_sessions table has been created, and that session_set_save_handler() is returning true.
https://github.com/pantheon-systems/wp-native-php-sessions/blob/main/pantheon-sessions.php#L216
However, session_start() and $_SESSION variable access results in the core PHP session handler being invoked, which leads to logged warnings, e.g.:

[09-Dec-2025 23:43:36 UTC] PHP Warning:  SessionHandler::read(): open(/var/lib/php/sessions/sess_bj8q2eic3pstpq4er0k1bm2jhl, O_RDWR) failed: Read-only file system (30) in /code/wp-content/plugins/authorizer/vendor/apereo/phpcas/source/CAS/Client.php on line 973
[09-Dec-2025 23:43:36 UTC] PHP Warning:  session_start(): Failed to read session data: user (path: /var/lib/php/sessions) in /code/wp-content/plugins/authorizer/vendor/apereo/phpcas/source/CAS/Client.php on line 973

I confirmed that the Pantheon_Sessions\Session_Handler class methods do not get invoked (via error_log() calls in the relevant functions in wp-native-php-sessions/inc/class-session-handler.php).

In the particular case of the plugin I maintain, sessions cannot be avoided because an upstream composer package uses them (for integration with CAS authentication servers): https://github.com/uhm-coe/authorizer/blob/master/vendor/apereo/phpcas/source/CAS/Client.php#L973

Not sure the specifics of what changed with PHP Runtime Generation 2, but we're happy to help debug if you struggle to reproduce the issue. Cheers

[pwtyler]

Hi there—

We've had a couple reports about sessions with Gen 2 now— Gen 1 previously allowed on-disk session management, although it was not recommended due to Pantheon's distributed environment with multiple appservers (hence the need for the plugin). Now with Gen 2, PHP's native session management doesn't work at all (even on environments with a single appserver).

If the plugins and not working together successfully, we can definitely dig into this and figure out if a fix is needed in wp-native-php-sessions, authorizer, or both.

cc @jazzsequence

[figureone]

I suspect the change needs to happen upstream in Gen 2, since wp-native-php-sessions does seem to successfully register the database handler in session_set_save_handler().
https://www.php.net/manual/en/function.session-set-save-handler.php
But any subsequent session changes will still use the default file-based handler.

The default value of session.save_handler in php.ini is files, and I'd guess that is what is not being overridden. It sounds like this should evaluate to user when session_set_save_handler() is invoked.
https://www.php.net/manual/en/session.configuration.php#ini.session.save-handler
https://www.php.net/manual/en/function.session-set-save-handler.php#118592

Perhaps Gen 2 is locking this down somehow?

[pwtyler]

I also clock save_path is null on gen1 and set on gen2, which seems an avenue of investigation as well. I know the original issue was for a customer, do you have this reproduced in a Pantheon environment that we could look at (or we can help you get one setup)? I'm at my.name AT pantheon DOT io, or find myself/@jazzsequence either in Pantheon Community Slack or Make WordPress for details.