WP Engine Products

WordPress Hosting

Boost performance while managing less

WooCommerce Hosting

Build faster and sell more with WooCommerce

Headless WordPress

Build, deploy, and manage headless sites

View More Products

Solutions

Small Businesses

Enterprises

Agencies

eCommerce

View More Solutions

Website Tools

Smart Plugin Manager

Website Tester

Website Monitoring

WordPress Themes and Tools

Local WordPress Development

Featured Plugins

Advanced Custom Fields

Build rich, custom content editing experiences

WP Migrate

Migrate WordPress sites with confidence

WP Offload Media

Offload media assets & serve them lightning fast

WP Offload SES

Improve email send reliability with Amazon SES

View More Recommended Plugins

WordPress Resources

WP Engine Resources

Articles and videos for help with WordPress

WP Engine Help Docs

Guides for site setup & troubleshooting

Free Website Migration

Automated migration plugin & support

Find a WordPress Agency

Need help? Search our agency directory

Stay Connected

WP Engine Blog

Builder Community

Headless Developer Community

Torque Magazine

Velocitize Magazine

Thought Leadership

Velocitize Talks

Erik Posthuma of Aleph-labs on Web3, Cryptocurrency, & More

Podcast

Press This, the WordPress Community Podcast

Study

The World’s First Study of the WordPress Economy

Why WP Engine?

Our Platform Technology

Managed WordPress Hosting

Fast WordPress

Secure WordPress

24/7 WordPress Support

About Us

WP Engine Reviews

How You Win with WP Engine

Build faster, protect your brand, and grow your business with the #1 WordPress platform to power remarkable online experiences.

Learn More

Customer Spotlight

Peak Performance With Headless WordPress

Android Authority increases speed 6x by adopting a headless architecture with a WordPress back-end.

All Case Studies

Contact sales

Call Us

+1-512-273-3906 to talk to a sales expert

Request a Quote

Submit a request for a personalized plan recommendation

Let’s Chat

Customer Support

Support Articles

Billing Help

Password Help

Log In for Support
Easiest Migration Ever!

Need Help Choosing a Plan?

We offer solutions for businesses of all sizes. For questions about our plans and products, contact our team of experts. Get in touch

Support Center
Setup A Site
Account & Features
Platform Information
WordPress Help
Troubleshoot
Browse All

Cookies and PHP Sessions

Last updated on November 16th, 2023

Cachephp

It’s important to understand how cookies and PHP Sessions are handled are WP Engine, especially if migrating a website. In this article we’ll explain what cookies and PHP Sessions are, how they interact with page caching, and the performance implications of using them.

Contents hide
1 Cookies
2 Issues with Cookies
3 Cookie Alternatives
3.1 Use Admin-ajax Calls
3.2 Exclude Pages from Cache when Cookie is Present
4 PHP Sessions
5 Issues With Sessions
6 Session Alternatives

Cookies

The term “cookie” refers to contextual bits of data your web browser stores. A cookie could be used to display different information on a website for different users, or to gather data about the browsing activity of a user.

Cookies are assigned to individual users, which means they are not intended to span multiple user sessions. The data stored should have the ability to return a unique value and apply a unique set of rules. EX: If you want your site to show a popup for users who are already subscribers, compared to users who are not already subscribers, a cookie could help.

Issues with Cookies

When present, cookies work with the PHP as the page is loaded in order to perform a unique action. When a page is served from cache, it’s already been generated previously by the server. If the page is cached, the cookie cannot be generated and perform its action with the page load as expected.

A cookie may only work as expected when you are logged in to the WordPress Admin Dashboard. This is because logged-in user sessions specifically bypass the page cache layer and will be processed by PHP every time.

We recommend populating all the available options for the action you wish to take with HTML or PHP. Then, you can use JavaScript to select which option to load (based on the presence of the cookie). In this way, the fully-formed page served by cache will still fit all scenarios, since browser-side JavaScript will determine which of the available options show.

In an example using very simple conditional HTML, the code would say to show one sidebar image when a preferred user visits, and another image for those who need to sign up. Then, JavaScript would read the $_COOKIE header to determine which sidebar image to show.

Cookie Alternatives

If you try to use PHP to read cookies, it will likely only display an empty cookie array. And while it’s not ideal, we understand that sometimes this might be a necessity for sites. Page caching does not automatically mean that you can’t use PHP to read cookies. There are two alternatives:

Use Admin-ajax Calls

  • JavaScript triggers a POST request to admin-ajax.php. PHP is then able to receive and, if needed, perform different actions.
  • This scenario should only be used if your page is not making any other admin-ajax requests. Sending multiple requests to admin-ajax.php is not ideal and directly counteracts the benefits of this method.
  • An example can be found here

Exclude Pages from Cache when Cookie is Present

  • The page is built fresh in PHP for your users only when the cookie is present.
  • Note: Uncaching pages will not scale well with increased traffic.
  • Contact Support from your User Portal for assistance.

PHP Sessions

PHP Sessions are bits of data about a user, meant to stick with users as they navigate your site. A PHP Session involves setting a cookie called PHPSESSID with a unique identification string as the value.

EX: Storing shopping cart data, recently viewed items, or a logged-in status across multiple pages.

Issues With Sessions

The biggest problem this presents is due to the unique session IDs. Unique IDs effectively bust cache and causes every session to become uncached. This will cause serious performance issues for your site. With that in mind, our system specifically ignores headers that define a PHPSESSID cookie.

PHP Sessions also store data to the filesystem as their own unique file. Writing data to a file is an I/O process which are known to back up and cause high server load. This kind of session storage also simply doesn’t work if your site is on an AWS clustered solution spanning multiple web servers.

Finally, there are multiple security vulnerabilities centering around PHP Sessions. Vulnerabilities include session data being exposed, session fixation, and session hijacking.

Session Alternatives

WordPress itself specifically doesn’t use PHP sessions. The correct method to store session data is to use the database. WooCommerce and many other eCommerce solutions have previously converted to using this method.

If checking through your site’s code you find a plugin or theme file that uses session_start, check if there’s an update available. After updating, check the code again to verify it’s been corrected. If your plugin or theme doesn’t have an update or it continues using sessions after the update, we highly recommend reaching out to the developer or finding a more secure alternative.

NEXT STEP: User segmentation and cache

Geographically customize content

Customize page content for your users based on their location without compromising cache or performance using WP Engine's GeoTarget.

Get the add-on

Talk to a specialist