Where are php session cookies stored?
Cookies were first invented in 1994 by a computer programmer named Lou Montulli. Without them, the web would be quite a different place. Whether your logging into the back-end of your WordPress site or closing an annoying popup window, you use and interact with cookies every day (even if you don’t realize it). Show
By now, you’ve probably guessed that when we refer to cookies, we mean the cookies used to store important visitor information on a website, not the yummy chocolate chip kind. 🍪 Today we’re going to dive into the sometimes confusing topic of cookies and PHP sessions. Specifically, everything you need to know about how WordPress uses them, along with some common issues that you should be aware of (especially as a developer) when it comes to hosting your website, custom code, or using a third-party plugin. In our opinion, this subject isn’t discussed enough. What Are Cookies?A cookie (also referred to as a web cookie, tracking cookie, HTTP cookie, browser cookie) is a small piece of data stored by a user’s browser (Chrome, Firefox, etc.) when they visit a website. It contains information regarding browsing activity and is typically used to personalize the user’s experience or for authentication and verification purposes. Session cookies and persistent cookies are common types of cookies.
Types of CookiesThere are two different types of cookies that are commonly set: session cookies and persistent cookies. Session CookiesSession cookies, also known as transient cookies, are temporary. They don’t have an expiration date attached and only store information about what the user does during a single session. A session is simply a randomly generated/unique value that is assigned when someone visits a website. Session cookies are stored temporarily in memory and are automatically removed when the browser closes or the session ends. Suggested reading: How to Improve PHP Memory Limit in WordPress. Persistent CookiesPersistent cookies, as you might have guessed, are those that contain an expiration date. These last much longer and are stored on disk until they expire or are manually cleared by the user. These are also sometimes referred to as “tracking cookies,” as these are the types of cookies that Google Analytics, AdRoll, Stripe, etc. all use. Our Kinsta affiliate program is another example. A 60-day cookie is placed in the user’s browser when they click on an affiliate link. This ensures that the referrer gets proper credit, even if the person has closed and re-opened their browser multiple times. How WordPress Core Uses CookiesWhen we refer to WordPress core, we simply mean the files that make up the open source project, before installing any third-party plugins or themes. It’s WordPress in its natural state as we like to call it. Now that you know the basics of what a cookie is and the different types, let’s take a look at why and how WordPress core uses them to make all that magic happen behind the scenes. Fun fact: Cookie was originally derived from the term “magic cookie.” WordPress core uses cookies for two different purposes: 1. Login CookiesLogin cookies contain authentication details and are used when a user logs into the WordPress admin dashboard. According to the WordPress Codex, a couple of different session cookies are set:
When you try to access the back-end of your WordPress site,
a check is done to see if the two cookies above exist and haven’t expired. This is what allows you to magically bypass the WordPress also sets 2. Comment CookiesBy default, there are cookies set when someone comments on a blog post (with an expiration of 347 days). This is so if they come back later they don’t have to fill out all the information all over again. The following three cookies are stored:
However, with recent privacy policy changes due to GDPR, new tools have been introduced by WordPress core to make sure you let users opt-in to these cookies being set. This setting, if not already set, can be enabled under “Settings → Discussion” in your WordPress admin dashboard. Select the option to “Show comments cookies opt-in checkbox.” The popular Akismet plugin also allows you to display a privacy notice. how comments cookies opt-inHow Third-Party WordPress Plugins and Themes Use CookiesJust like WordPress uses cookies for certain functionality, third-party plugins and themes you install also set cookies. Most of them use a combination of browser cookies and database rows stored in the
With new privacy laws, it’s more important than ever to actually understand what cookies are being set and if they are providing a way for your visitors to opt-in. Tip: not all cookies require opt-in. Read our in-depth post on GDPR to get a better understand of new requirements. Here are just a couple of the many examples of what cookies are used for:
Essentially any action or opt-in on a WordPress site, typically will involve setting a cookie in the browser behind the scenes. The goal of this is, of course, to try and help improve the browser experience or provide additional functionality through verification. Here's everything you need to know about WordPress and cookies. And we don't mean the yummy chocolate chip kind. 🍪Click to Tweet WooCommerce CookiesEcommerce plugins such as WooCommerce typically have their own additional cookies they set so that buyers can easily add things to their cart, store for later when they checkout, and log in and out of their account. To keep track of cart data, WooCommerce sets the following three cookies (no personal information is stored in the cookies):
The first two cookies contain information about the cart and simply help WooCommerce know when the cart data changes. The third cookie The Easy Digitial Downloads CookiesEasy Digital Downloads by default uses WP_Session, which is a combination of browser cookies and database rows stored in the
Cookies and WordPress CachingWhen it comes to WordPress cache, this is where things get tricky. Caching is essentially the process of storing resources from one request and reusing those resources for subsequent requests. Basically, it reduces the amount of work required to generate a page view. While this is great for performance, it causes a problem when it comes to cookies. Why? Because cookies are there to perform a certain action, such as keeping the shopping cart populated while you browse around a WooCommerce site. However, if a page is served from cache, neither PHP nor the database does anything, the server simply serves up a static copy of the page. So what can you do? 1. Use JavaScriptThe first option would be to use JavaScript and update content on a page dynamically. Basically, you have HTML placeholders and use JavaScript to pull in info over an API or ajax call. An example would be loading a list of posts in the WordPress sidebar by using JavaScript to grab a list of posts over the wp-api and then render them in the sidebar. In that scenario you could update the list of posts without clearing the page from cache since the data is generated dynamically. This isn’t ideal though, it’s always better to cache if possible in terms of performance. But if you must have some bit of content remain dynamic while the page itself can remain static (served from cache), that’s one way to do it – use JavaScript to pull down the content for that part of the page dynamically via an API/ajax call. However, unless you can hire a WordPress developer to build a custom JavaScript solution or extension of a plugin, this option usually isn’t practical. 2. Use Admin-Ajax Calls
However, just like with JavaScript, going down this route is typically not feasible for the average user. It can also lead to other performance problems such as high admin-ajax usage and lots of uncached requests. 3. Exclude Pages From Cache (When the Cookie is Present)Unless you can go down the JavaScript or admin-ajax route, excluding pages from caching when a specific cookie is present is the best way to go. This is typically what we recommend, especially those running highly dynamic sites such as WooCommerce and Easy Digital Downloads. At Kinsta, certain WooCommerce and Easy Digital Downloads pages like cart, my-account, and checkout, are automatically excluded from caching. There is a server-level rule in place so that users automatically bypass the cache when the We also listen for the associated logged-in cookies and set the cache to bypass when we detect that someone has logged into WordPress. The prevents the back-end dashboard from accidentally being cached. By default, we don’t exclude the However, due to there being many different WordPress theme and plugin configurations, we can exclude the If you need a custom page excluded from cache, feel free to open up a
ticket with our support team. Again, you have to be careful when it comes to exclusions. Too many uncached pages could really deteriorate performance. Check out our do’s and don’ts for hosting WordPress membership sites. How to See and Clear CookiesIt’s easy to see and clear cookies on a website. To see what cookies are set on a specific site, browse to that site and click on the little padlock icon at the top. Then click on “Cookies.” Cookies in useThen drill down to that website’s folder. In the example below, you can see that we have a few WooCommerce cookies set, as well as the To remove a cookie, simply click on an individual cookie and click the “Remove” button. You can also do this at the folder level or in Chrome DevTools. Clearing cookies can also help you to fix the 304 error. Alternatively, you can search for or clear all cookies in your browser. GDPR is a new privacy law that came into effect on May 25th, 2018. It was designed to give citizens back control of their personal data. We highly recommend reading our in-depth post: the lowdown on GDPR compliance if you haven’t already. This is one topic that can’t be summarized in a paragraph! Here is an example of one change we made at Kinsta to help comply with the new law. When you first visit our site, you might have already seen it, you’re met with an “Accept Cookies” prompt at the bottom of the screen. This is because we are now legally required to provide users a way to opt-in and opt-out of cookies being set. Gone are the days of just running whatever you want without informing users of data collection. If you click “Accept Cookies,” all cookies are then set for the user. If you click “Cookie Settings,” we now provide a way to opt-in and opt-out of whichever cookies you want. Cookie settingsPretty nifty right? Our cookie solution was built in-house by our developers, but here are some helpful GDPR WordPress plugins that can help you accomplish something similar. Again, cookies are just one small part of becoming completely GDPR compliant. PHP SessionsPHP sessions is an alternative to the standard cookie approach. It’s still a cookie, but it’s called PHPSESSID and is typically stored in the This can also be seen under the HTTP header for a site. HTTP header set cookie PHPSESSIDA PHP session is much like a normal session which ends when the user closes their browser. The problem with PHP sessions all comes down to performance and caching issues. The information stored in the browser cookie has to bounce back and forth with each request so that the server knows who the user is. This means for sites that use PHPSESSID, the host would have to set the PHPSESSID to bypass the cache. However, the result is that PHPSESSID would have to be set to bypass 100% of the time, because unlike So imagine that the That’s the problem with using PHPSESSID. Because it’s generated on every single PHP request, if a site relies on PHPSESSID cookies the host would have to set PHPSESSID to bypass cache 100% of the time. Otherwise, the PHPSESSID’s end up cached and it messes up whatever functionality relies on it. We don’t recommend using PHP sessions and they will usually not work in our Kinsta environment. PHP sessions also have other security implications that should be considered. If you see code using Many plugin and theme developers have moved to using a combination of browser cookies and database rows (either in the Feel free to reach out to our support team if you have additional questions regarding PHP sessions. SummaryHopefully, now you know a little bit more about how WordPress cookies and PHP sessions work than you did before. Cookies are currently what makes the world go round and are important for pretty much everything that happens on a WordPress site. From keeping us logged in, to ensuring a smooth shopping cart experience, and even making sure that a popup window stays closed. Have any other questions about cookies? 🍪 Let us know below in the comments. Save time, costs and maximize site performance with:
All of that and much more, in one plan with no long-term contracts, assisted migrations, and a 30-day-money-back-guarantee. Check out our plans or talk to sales to find the plan that’s right for you. Where are session cookies stored?The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. They typically store information in the form of a session identification that does not personally identify the user.
Where are PHP sessions stored?PHP Session Start
By default, session data is stored in the server's /tmp directory in files that are named sess_ followed by a unique alphanumeric string (the session identifier).
How are cookies stored in session?The server creates a “session ID” which is a randomly generated number that temporarily stores the session cookie. This cookie stores information such as the user's input and tracks the movements of the user within the website. There is no other information stored in the session cookie.
Where is the session stored?A session is a global variable stored on the server. Each session is assigned a unique id which is used to retrieve stored values. Whenever a session is created, a cookie containing the unique session id is stored on the user's computer and returned with every request to the server.
|