From af05c3cd191705a66f9464afdd018748117deb46 Mon Sep 17 00:00:00 2001
From: Leon Sinclair <leonsinclair@Leons-MacBook-Pro.local>
Date: Tue, 24 Feb 2026 12:23:08 +0000
Subject: [PATCH] fix: Wire up "Device Storage Method" session setting to SDK
 configuration

The "Device Storage Method" setting in the plugin UI (Advanced > Sessions)
allows choosing between "Encrypted Cookies" and "PHP Native Sessions
(Recommended)", but importConfiguration() never reads this option.
The SDK always defaults to CookieStore regardless of the setting.

This causes large encrypted session cookies (chunked across
auth0_session_0, _1, _2, etc.) that can exceed nginx's default 8KB
header buffer limit, resulting in "400 Bad Request: Request Header
Or Cookie Too Large" errors.

Changes:
- Read the sessions.method option in importConfiguration() and set
  a SessionStore on the SdkConfiguration when PHP sessions are selected
- Guard the setState() call in onShutdown() with an instanceof check,
  since setState() is CookieStore-specific and causes a fatal error
  when SessionStore is used
---
 src/Actions/Authentication.php | 7 +++----
 src/Plugin.php                 | 5 +++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/Actions/Authentication.php b/src/Actions/Authentication.php
index f6fb41c94..e61532feb 100644
--- a/src/Actions/Authentication.php
+++ b/src/Actions/Authentication.php
@@ -579,10 +579,9 @@ public function onShutdown(): void
         if ('false' !== $this->getPlugin()->getOption('sessions', 'rolling_sessions')) {
             $store = $this->getSdk()->configuration()->getSessionStorage();
 
-            /**
-             * @var CookieStore $store
-             */
-            $store->setState(true);
+            if ($store instanceof CookieStore) {
+                $store->setState(true);
+            }
 
             wp_set_auth_cookie(get_current_user_id(), true);
         }
diff --git a/src/Plugin.php b/src/Plugin.php
index 7e71e5c82..9c6a90a24 100644
--- a/src/Plugin.php
+++ b/src/Plugin.php
@@ -6,6 +6,7 @@
 
 use Auth0\SDK\Auth0;
 use Auth0\SDK\Configuration\SdkConfiguration;
+use Auth0\SDK\Store\SessionStore;
 use Auth0\WordPress\Actions\{Authentication as AuthenticationActions, Base as Actions, Configuration as ConfigurationActions, Sync as SyncActions, Tools as ToolsActions, Updates as UpdatesActions};
 use Auth0\WordPress\Cache\WpObjectCachePool;
 use Auth0\WordPress\Filters\{Authentication as AuthenticationFilters, Base as Filters};
@@ -319,6 +320,10 @@ private function importConfiguration(): SdkConfiguration
             );
         }
 
+        if ('sessions' === $this->getOptionString('sessions', 'method')) {
+            $sdkConfiguration->setSessionStorage(new SessionStore($sdkConfiguration, $sdkConfiguration->getSessionStorageId()));
+        }
+
         if ('disable' !== $caching) {
             $wpObjectCachePool = new WpObjectCachePool();
             $sdkConfiguration->setTokenCache($wpObjectCachePool);