Cookie changes

Unfortunately the cf7msm_check cookie needs to be set before the first step is submitted. And the only way to know if a form is on a page is after the headers are sent which is after the time PHP can set the cookie.

Short answer: no, this cookie needs to be set on every page as the plugin is right now.

Long answer: I’ll be adding a filter so PHP sessions and the cf7msm_check cookie are not needed unless explicitly enabled. I’ll need to find some time to do it though. So probably at least a couple weeks out.

If you need to edit the code, just remember you may need to reapply your edits after the next update. I may have to put up a quick fix and it may not have the updates to the cf7msm_check cookie. Also, edit at your own risk.

It is possible to edit the code. You can replace the setcookie line to enable Httponly flag.

In the cf7msm.php file, in cf7msm_init_sessions() function, replace:
setcookie('cf7msm_check', 1, 0, COOKIEPATH, COOKIE_DOMAIN);
with:
setcookie('cf7msm_check', 1, 0, COOKIEPATH, COOKIE_DOMAIN, false, true);

also replace this in the same function to get rid of the php session cookie:

if (!session_id()) {

with this:

if ($force_session && !session_id()) {