Cookies and PHP Sessions
It’s important to understand how cookies and PHP Sessions are handled are WP Engine, especially if migrating a website. In this article we’ll explain what cookies and PHP Sessions are, how they interact with page caching, and the performance implications of using them.
The term “cookie” refers to contextual bits of data your web browser stores. A cookie could be used to display different information on a website for different users, or to gather data about the browsing activity of a user.
Cookies are assigned to individual users, which means they are not intended to span multiple user sessions. The data stored should have the ability to return a unique value and apply a unique set of rules. EX: If you want your site to show a popup for users who are already subscribers, compared to users who are not already subscribers, a cookie could help.
Issues with Cookies
When present, cookies work with the PHP as the page is loaded in order to perform a unique action. When a page is served from cache, it’s already been generated previously by the server. If the page is cached, the cookie cannot be generated and perform its action with the page load as expected.
A cookie may only work as expected when you are logged in to the WordPress Admin Dashboard. This is because logged-in user sessions specifically bypass the page cache layer and will be processed by PHP every time.
If you try to use PHP to read cookies, it will likely only display an empty cookie array. And while it’s not ideal, we understand that sometimes this might be a necessity for sites. Page caching does not automatically mean that you can’t use PHP to read cookies. There are two alternatives:
Use Admin-ajax Calls
- This scenario should only be used if your page is not making any other admin-ajax requests. Sending multiple requests to admin-ajax.php is not ideal and directly counteracts the benefits of this method.
- An example can be found here
Exclude Pages from Cache when Cookie is Present
- The page is built fresh in PHP for your users only when the cookie is present.
- Note: Uncaching pages will not scale well with increased traffic.
- Contact Support from your User Portal for assistance.
PHP Sessions are bits of data about a user, meant to stick with users as they navigate your site. A PHP Session involves setting a cookie called PHPSESSID with a unique identification string as the value.
EX: Storing shopping cart data, recently viewed items, or a logged-in status across multiple pages.
Issues With Sessions
The biggest problem this presents is due to the unique session IDs. Unique IDs effectively bust cache and causes every session to become uncached. This will cause serious performance issues for your site. With that in mind, our system specifically ignores headers that define a PHPSESSID cookie.
PHP Sessions also store data to the filesystem as their own unique file. Writing data to a file is an I/O process which are known to back up and cause high server load. This kind of session storage also simply doesn’t work if your site is on an AWS clustered solution spanning multiple web servers.
Finally, there are multiple security vulnerabilities centering around PHP Sessions. Vulnerabilities include session data being exposed, session fixation, and session hijacking.
WordPress itself specifically doesn’t use PHP sessions. The correct method to store session data is to use the database. WooCommerce and many other eCommerce solutions have previously converted to using this method.
If checking through your site’s code you find a plugin or theme file that uses session_start, check if there’s an update available. After updating, check the code again to verify it’s been corrected. If your plugin or theme doesn’t have an update or it continues using sessions after the update, we highly recommend reaching out to the developer or finding a more secure alternative.
NEXT STEP: User segmentation and cache