Cookies and PHP Sessions

It’s important to understand how cookies and PHP Sessions are handled at WP Engine, especially if migrating a website. In this article we’ll explain what cookies and PHP Sessions are, how they interact with page caching, and the performance implications of using them.


Cookies

The term “cookie” refers to contextual bits of data your web browser stores. A cookie could be used to display different information on a website for different users, or to gather data about the browsing activity of a user.

Cookies are assigned to individual users, which means they are not intended to span multiple user sessions. The data stored should have the ability to return a unique value and apply a unique set of rules. EX: If you want your site to show a popup for users who are already subscribers, compared to users who are not already subscribers, a cookie could help.


Issues with Cookies

When present, cookies work with the PHP as the page is loaded in order to perform a unique action. When a page is served from cache, it’s already been generated previously by the server. If the page is cached, the cookie cannot be generated and perform its action with the page load as expected.

A cookie may only work as expected when you are logged in to the WordPress® Admin Dashboard.1 This is because logged-in user sessions specifically bypass the page cache layer and will be processed by PHP every time.

We recommend populating all the available options for the action you wish to take with HTML or PHP. Then, you can use JavaScript to select which option to load (based on the presence of the cookie). In this way, the fully-formed page served by cache will still fit all scenarios, since browser-side JavaScript will determine which of the available options show.

In an example using very simple conditional HTML, the code would say to show one sidebar image when a preferred user visits, and another image for those who need to sign up. Then, JavaScript would read the $_COOKIE header to determine which sidebar image to show.


Cookie Alternatives

If you try to use PHP to read cookies, it will likely only display an empty cookie array. And while it’s not ideal, we understand that sometimes this might be a necessity for sites. Page caching does not automatically mean that you can’t use PHP to read cookies. There are two alternatives:

Use Admin-ajax Calls

  • JavaScript triggers a POST request to admin-ajax.php. PHP is then able to receive and, if needed, perform different actions.
  • This scenario should only be used if your page is not making any other admin-ajax requests. Sending multiple requests to admin-ajax.php is not ideal and directly counteracts the benefits of this method.
  • An example can be found here

Exclude Pages from Cache when Cookie is Present

  • The page is built fresh in PHP for your users only when the cookie is present.
  • Note: Uncaching pages will not scale well with increased traffic.
  • Contact Support from your User Portal for assistance.

PHP Sessions

PHP Sessions are bits of data about a user, meant to stick with users as they navigate your site. A PHP Session involves setting a cookie called PHPSESSID with a unique identification string as the value.

EX: Storing shopping cart data, recently viewed items, or a logged-in status across multiple pages.


Issues With Sessions

The biggest problem this presents is due to the unique session IDs. Unique IDs effectively bust cache and causes every session to become uncached. This will cause serious performance issues for your site. With that in mind, our system specifically ignores headers that define a PHPSESSID cookie.

PHP Sessions also store data to the filesystem as their own unique file. Writing data to a file is an I/O process which are known to back up and cause high server load. This kind of session storage also simply doesn’t work if your site is on an AWS clustered solution spanning multiple web servers.

Finally, there are multiple security vulnerabilities centering around PHP Sessions. Vulnerabilities include session data being exposed, session fixation, and session hijacking.


Session Alternatives

WordPress itself specifically doesn’t use PHP sessions, and the correct method to store session data is to use the database. Additionally, many eCommerce solutions have converted to using this updated method.

If checking through your site’s code you find a plugin or theme file that uses session_start, check if there’s an update available. After updating, check the code again to verify it’s been corrected. If your plugin or theme doesn’t have an update or it continues using sessions after the update, we highly recommend reaching out to the developer or finding a more secure alternative.


NEXT STEP: User segmentation and cache

Geographically customize content

Customize page content for your users based on their location without compromising cache or performance using WP Engine's GeoTarget.