I've found WP Login Security 2 to be an extremely useful plugin and it's installed on each of the WordPress sites I either run or manage. But like other people, I've been bitten by the Cannot send session cache limiter warning message.
You're absolutely right to point out that people should really disable
display_errors in their
php.ini file for security reasons but on one site I manage this isn't an option. This particular hosting provider locks down their PHP environment and even placing a site specific
php.ini in the web root is ignored. It's a pain to see this warning message whenever I'm working in the site's admin screens so I've looked into this in a bit more detail and have come up with a workaround.
Even if a hosting provider locks down
php.ini, you're still able to override the
display_errors settings in the code via the
ini_set PHP function. So I've added some code to the
wpls2_new_ip_check function in
wp-login-security-2.php that checks to see whether
display_errors is enabled and if it is, disables it but only for the duration of the execution of
wpls2_new_ip_check and restores the setting back once this function returns.
It's not the most elegant of work-arounds but in a restricted hosting environment, options are limited. The code is up on GitHub in a Gist if you're interested. I've tested it out on a local machine and on a live production site and it seems to work without impacting the functionality of the plugin or the site. Feel free to take this and adapt it or incorporate it into a future release of the plugin if you think it will help.
Once again, thanks for writing a useful and valuable plugin.