Set cookie – headers already send

  • Resolved Guido

    (@guido07111975)


    2 years, 8 months ago

    Hi,

    I set a cookie like this:

    function my_cookie() {
	setcookie( 'my_cookie', 'my_value', 0, COOKIEPATH, COOKIE_DOMAIN);
}
add_action( 'init', 'my_cookie' );

    Seems to work but client reported the “Cannot modify header information – headers already sent” error. Apparently another plugin or his theme is sending output before headers are send. I can try the send_headers() hook but notice this one is loaded after the init hook. So don’t think this will fix his problem.

    Is there a way to fix this without knowing the behavior of other plugins/themes?

    Guido

Viewing 15 replies - 1 through 15 (of 16 total)
1 2
  • Alan Fuller

    (@alanfuller)

    2 years, 8 months ago

    Sometimes this is a bug in another plugin or the theme, outputting something when it shouldn’t and example may be a closing ?> in php followed by some blank lines of a blank line before and opening <?php

    I’m assuming here that you dont have control over the client sites, access to debug, or knowledge of their plugins and themes ( e.g. like a plugin developer ? )

    You could try a lower priority on the hook

    Or try an use a much earlier hook in the hope that what ever is outputting is not doing it that early – depending on what you need youcould go as early as muplugins_loaded

    add_action( 'init', 'my_cookie', -1 );
    Moderator bcworkz

    (@bcworkz)

    2 years, 8 months ago

    You could try using the “wp_headers” filter to add your own Set-Cookie: header to all of the other WP headers about to be sent. If some other code generated output before this, it’d break all other WP header functionality.

    I’ve not tested this to ensure it’s feasible, but I’m reasonably confident it’ll work. Even if it works, IDK if it’s an acceptable practice for inclusion in the WP plugin repository.

    N.B: this is only feasible from plugins, themes load too late for this to work.

    Thread Starter Guido

    (@guido07111975)

    2 years, 8 months ago

    Hi,

    Thank you both!
    Thought about it a little more. As BC may already know I was testing with setting a cookie that stores an unique ID for my sum-captcha session. With that ID I was retrieving the correct transient from database. But cookies might be blocked or other plugins might cause the “headers already send” issue, so maybe I should look for something else.

    Guido

    Alan Fuller

    (@alanfuller)

    2 years, 8 months ago

    Out of interest why to you need a cookie to store the result? Are you trying to get persistence across user sessions?

    Cookies are not loved by AdBlockers, privacy focussed browsers and many countries privacy laws so an alternative solution sounds a good idea.

    Thread Starter Guido

    (@guido07111975)

    2 years, 8 months ago

    Hi Alan,

    Thanks, will look for something else!

    Form has a sum you must solve. I’m using a transient to store the sum values. I don’t want the sum to change when form has filled in incorrect and page is reloaded again. It should not change before submission is successfully send. At that point I delete transient. So yes, persistence.

    By the way, WP itself stores a few cookies so did not see a privacy problem. Mostly because it’s only a session cookie that expires upon screen closing. Did not test this with adblocker though.

    Guido

    Alan Fuller

    (@alanfuller)

    2 years, 8 months ago

    So a multi form form? What about

    Generate a maths sum / result
    Store in transient
    Generate first form with the matchs input
    On submission check result
    If OK generate the second (first with errors) form – but this time put the correct result in a hidden form field instead of input
    and also put in a random nonce to stop submission without the first form submission
    Captcha will pass for the second form

    Is this a custom form or a package

    Or dont use math captcha technique to try and stop bots use a different technique ( I would tell you, but as an author of an anti spam plugin I dont want to give all my secrets away in public )

    • This reply was modified 2 years, 8 months ago by Alan Fuller.
    • This reply was modified 2 years, 8 months ago by Alan Fuller.
    Alan Fuller

    (@alanfuller)

    2 years, 8 months ago

    Is that for VS Contact form? ( makes note to self to add that to the list of form plugins for my Anti Spam to protect )

    • This reply was modified 2 years, 8 months ago by Alan Fuller.
    Thread Starter Guido

    (@guido07111975)

    2 years, 8 months ago

    Hi Allen,

    Yes that’s the one. I’ve already added multiple things to avoid / reduce spam, but a sum may give plugin an extra layer of protection. I prefer to use the same transient throughout whole submission process, to avoid a new transient is generated upon every page load.
    But in a previous thread I’ve already received some tips and tricks, so I don’t want this thread become a (kind of) duplicate of my previous one πŸ˜‰

    Guido

    Alan Fuller

    (@alanfuller)

    2 years, 8 months ago

    I dont think that thread gave you an answr just led you to cookies.

    Actually I’m not even sure why you need tansients for maths captcha

    You know the sum when you generate the form
    e.g. what is 3 + 4 = input type=number name=answer
    so you also just generate a hidden field name=check with the answer or if you are really worried bots will read than ( unlikely ) you could obsurce that with a formula like answer * 18 -3
    On form validaton
    if name=check (adjusted) matches input name=answer great but is form fails validation then output input type=hidden name=answer or if you are obsuring use and check a different hidden field e.g. input type=hidden name=answerobtuse

    • This reply was modified 2 years, 8 months ago by Alan Fuller.
    Thread Starter Guido

    (@guido07111975)

    2 years, 8 months ago

    Hi Alan,

    Sending the answer or sum values as hidden field(s) is a no-go, because in this case you can resend form over and over again, by using an interceptor / repeater. I was doing this, but was informed about this vulnerability and therefore had to update plugin.

    Guido

    Alan Fuller

    (@alanfuller)

    2 years, 8 months ago

    True. It is all avaibale in the dom so only serves to fool less sophisticated scripts.

    Thread Starter Guido

    (@guido07111975)

    2 years, 8 months ago

    Can also look into localStorage to store my unique transient ID. Using a PHP session is not recommended by WP, so that’s not an option.

    Update: it has drawbacks: not very secure and no easy expiration.

    Guido

    Thread Starter Guido

    (@guido07111975)

    2 years, 7 months ago

    Update: it has drawbacks: not very secure and no easy expiration.

    Using sessionStorage instead of localStorage or a cookie might be a better idea. Expires when browser window is closed.

    Guido

    Sohan Zaman

    (@sohan5005)

    2 years, 3 months ago

    Wondering why not use $_SESSION for this case? Never heard saving captcha answers on client side. Using transients is not efficient as well, as that should perform DB query per page load & bloat your DB if you get a large number of visitors to the form (potentially bots).

    Thread Starter Guido

    (@guido07111975)

    2 years, 3 months ago

    Hi Sohan,

    I thought that using PHP sessions within WP is not recommended, because of possible conflicts between plugins and servers that don’t allow the use of them. That’s why Transients are available, although this can result in many DB queries indeed. But I may be wrong?

    Guido

Viewing 15 replies - 1 through 15 (of 16 total)
1 2

The topic ‘Set cookie – headers already send’ is closed to new replies.

Tags