Support » Developing with WordPress » set commenter cookie by program

  • Resolved Eric Malalel

    (@teachlynx)


    I would like to know if it is possible to set WP commenters cookie programatically.

    I have a WP site ‘origin’ where users need to log in to access content, and from there, they can access other WP sites I also manage but they don’t have a user account on it.

    So, when they comment on these other sites, hosted on different domains, I would like them to be able to comment as guest, but without the need to enter their name and email.

    In fact, these information would come from the ‘origin’ site, as url parameters added to the targeted page URL on the other sites, and when the page loads, if commenter cookie is not set, url parameters are read and commenter cookie is set using these parameters.

    Please tell me if this is possible, and how. It sounds that WP sets commenter cookie with a hash in cookie name, and I don’t know how to do this.

Viewing 8 replies - 1 through 8 (of 8 total)
  • If I had to send user data cross-domain, I’d probably use openssl_encrypt() to encrypt the data, put the encrypted data into a URL, and use openssl_decrypt() on the URL parameter on the other end. Since all the sites are yours, you can create a custom key for the encryption/decryption and (securely!) put it on each server.

    You could then create a session cookie for the user that would keep them “logged in”.

    Thanks for the security tip.
    However, my question is about creating the WP commenter cookie itself, whether or not name and email are provided encrypted in URL.
    Can’t find how to do it on this site or by googling a lot.
    If you can help on that too, thanks!

    It wasn’t a security tip, it was a way to encrypt name/email into a URL that can be used across multiple domains. Your “main” site would send people to your “satellite” sites with a URL containing an encrypted query string variable. Each “satellite” site would read the encrypted query string variable, decrypt it, and use the name/email data as it sees fit. I personally would set up a PHP session for that user and let PHP set the appropriate cookies based on the session name/email data you create for the user.

    Moderator bcworkz

    (@bcworkz)

    You can set a cookie of course. In PHP, it must be done before any output occurs. With JS, you can set it anytime. The problem is only the site setting the cookie is able to receive the cookie values from the browser. Other sites cannot access this data. Even if they are both your sites, the browser does not know this. The one exception is if the other site’s page contains content from the cookie setting site. This is then a third party cookie and the reason data aggregators get site owners to place “web bugs” on pages so they can track what users do.

    I don’t know exactly how to manage such data. It’s an unreliable approach anyway because users often disable third party cookies. I’d advise you to work out a different scheme. Also, likely why DionDesigns is suggesting encryption, using third party cookies to manage log in status may open up your sites to CSRF attacks. For subscribers with little capabilities, this is not a big concern. But when someone logged in as an admin is using the same mechanism, it is a huge risk.

    I’m not a security expert, but I’m not sure even passing encrypted tokens in URLs is necessarily adequate. It depends on how the tokens and encryption keys are managed. Maybe a sort of 2FA is in order. The token comes from the browser via URL request. The server then contacts the other site directly to confirm the token is valid. The token is only valid for a short period of time.

    Anyway, authentication through third party servers is done securely all the time. I don’t know the details, but I can’t imagine third party cookies play a part. Your sites will likely need SSL certificates. Good luck in finding something that works for you. Solutions are out there.

    Well, thanks for all these feedbacks and advices, but my question is not how to set cookie in PHP or how to set it securely, my question is: how to set commenter cookie by program.
    To be more precise, this cookie is usually set by WP itself and obeys to strict syntax:
    https://codex.wordpress.org/WordPress_Cookies
    excerpt from this page:
    When visitors comment on your blog, they too get cookies stored on their computer. This is purely a convenience, so that the visitor won’t need to re-type all their information again when they want to leave another comment. Three cookies are set for commenters:
    comment_author_{HASH}
    comment_author_email_{HASH}
    comment_author_url_{HASH}
    So, how to generate these cookies, knowing that there is a {HASH} in their names. How to genenate the right {HASH} which will then be accepted by WP.
    Thanks in advance for feedback on this specific point.

    Moderator bcworkz

    (@bcworkz)

    Look at the source code for wp_set_comment_cookies(). The constant values are defined in /wp-includes/default-constants.php.

    Even with correctly set cookies, they may not be available where you want them. As I mentioned earlier, the problem is only the site setting the cookie is able to receive the cookie values from the browser. Other sites cannot access this data. Even if they are both your sites, the browser does not know this.

    Thanks for pointing me in the right direction.
    And as it happens sometimes, the answer was in the question.
    Just had to dig into the code and find it.
    Thanks again.

    Moderator bcworkz

    (@bcworkz)

    🙂 Yeah, it’s so obvious once it’s pointed out. But finding it without knowing where to look can be a bitch.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘set commenter cookie by program’ is closed to new replies.