WordPress.org

Ready to get started?Download WordPress

Forums

Commenter Cookies (8 posts)

  1. sofaking21
    Member
    Posted 2 years ago #

    I can't find how WordPress gets the cookies from a user that browses to a site. Is there a hook that I can use to tell WordPress to ignore the comment_author, comment_author_email and comment_author_url or is there a way to ensure that these cookies do not get set other than commenting out the lines that set the cookies in the wp-comments-post.php file?

  2. esmi
    Forum Moderator
    Posted 2 years ago #

    Why do you need to do this?

  3. sofaking21
    Member
    Posted 2 years ago #

    My site uses a content delivery network to attempt to take some of the load off our servers. Here's what happens: user A visits a post and makes a comment, thereby having the comment cookies set. Now, user A navigates to another post which pre-fills the name and email address in the form. User B now visits this second post and because it's cached by the CDN, user B now sees User A's information. I need to keep this from happening.

  4. esmi
    Forum Moderator
    Posted 2 years ago #

    That's not a WordPress issue. It's a server cache problem.

  5. sofaking21
    Member
    Posted 2 years ago #

    It's a WordPress "feature" causing a server cache problem. In theory, it should be easy for me to tell WordPress to not set the commenter cookies.

  6. The commenter cookies are stored on the commenter's computer, though. I use caching, app side and server, and it never caches user credentials or data between users. That's all browser stuff, not WordPress.

    WordPress, like all apps, checks for the cookies on your browser and, when found, pulls in data.

  7. sofaking21
    Member
    Posted 2 years ago #

    You are correct, the cookies are stored on the commenter's computer. That's not the issue. Here are the steps I used to verify this:

    1. I did an nslookup on my site and got the edge server IP that I would be hitting. Just to make sure I didn't hop edge servers, I made a hosts entry to point my site to that IP.
    2. I then contacted someone half-way across the country and told this person to make the same hosts entry.
    3. I went to a post and left a comment, thereby setting the cookies on my local machine.
    4. I navigated to another post, scrolled down to verify that my information was pre-filled into the post.
    5. I then told my guinea pig to navigate to the second post.
    6. I asked this person to tell me if anything was filled into the comment form. When he said yes, I asked him to read it to me. Successful test: Fatty McButterpants was in the name field and fatty@mcbutterpants.com was in the email field.

    The tester and I are on completely separate networks with no proxies in between. So, as you can see, WordPress reads the information in the cookies, then delivers the form as flat HTML with the values pre-filled. All of this gets cached because it is being delivered as flat HTML.

    There seems to be a couple of places of interest. The first is in wp-includes/theme-compat/comments.php:

    <p><input type="text" name="author" id="author" value="<?php echo esc_attr($comment_author); ?>" size="22" tabindex="1" <?php if ($req) echo "aria-required='true'"; ?> />
    <label for="author"><small><?php _e('Name'); ?> <?php if ($req) _e('(required)'); ?></small></label></p>
    
    <p><input type="text" name="email" id="email" value="<?php echo esc_attr($comment_author_email); ?>" size="22" tabindex="2" <?php if ($req) echo "aria-required='true'"; ?> />
    <label for="email"><small><?php _e('Mail (will not be published)'); ?> <?php if ($req) _e('(required)'); ?></small></label></p>
    
    <p><input type="text" name="url" id="url" value="<?php echo  esc_attr($comment_author_url); ?>" size="22" tabindex="3" />
    <label for="url"><small><?php _e('Website'); ?></small></label></p>

    Alternatively in wp-includes/comment-template.php there is this:
    $commenter = get_current_commenter();
    and
    foreach ( (array) $args['fields'] as $name => $field ) { echo apply_filters( "comment_form_field_{$name}", $field ) . "\n"; }

    I can't find the filters indicated in the loop, so my next thought is to attack the wp_get_current_commenter() function. If I override this function in my mu-plugins to make this function basically do nothing, this should break WordPress from even reading the cookies with no major repercussions, correct?

  8. sofaking21
    Member
    Posted 2 years ago #

    I tried the following, but it didn't work. WordPress is still reading and using the cookie to fill in the value of the field.

    <?php
    if( ! function_exists('wp_get_current_commenter') ) {
    	function wp_get_current_commenter() {
    		$comment_author = '';
    		$comment_author_email = '';
    		$comment_author_url = '';
    
    		return apply_filters('wp_get_current_commenter', compact('comment_author', 'comment_author_email', 'comment_author_url'));
    	}
    }
    ?>

    Any help here would be greatly appreciated.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags