sofaking21

You are correct, the cookies are stored on the commenter’s computer. That’s not the issue. Here are the steps I used to verify this:

1. I did an nslookup on my site and got the edge server IP that I would be hitting. Just to make sure I didn’t hop edge servers, I made a hosts entry to point my site to that IP.
2. I then contacted someone half-way across the country and told this person to make the same hosts entry.
3. I went to a post and left a comment, thereby setting the cookies on my local machine.
4. I navigated to another post, scrolled down to verify that my information was pre-filled into the post.
5. I then told my guinea pig to navigate to the second post.
6. I asked this person to tell me if anything was filled into the comment form. When he said yes, I asked him to read it to me. Successful test: Fatty McButterpants was in the name field and fatty@mcbutterpants.com was in the email field.

The tester and I are on completely separate networks with no proxies in between. So, as you can see, WordPress reads the information in the cookies, then delivers the form as flat HTML with the values pre-filled. All of this gets cached because it is being delivered as flat HTML.

There seems to be a couple of places of interest. The first is in wp-includes/theme-compat/comments.php:

<p><input type="text" name="author" id="author" value="<?php echo esc_attr($comment_author); ?>" size="22" tabindex="1" <?php if ($req) echo "aria-required='true'"; ?> />
<label for="author"><small><?php _e('Name'); ?> <?php if ($req) _e('(required)'); ?></small></label></p>

<p><input type="text" name="email" id="email" value="<?php echo esc_attr($comment_author_email); ?>" size="22" tabindex="2" <?php if ($req) echo "aria-required='true'"; ?> />
<label for="email"><small><?php _e('Mail (will not be published)'); ?> <?php if ($req) _e('(required)'); ?></small></label></p>

<p><input type="text" name="url" id="url" value="<?php echo  esc_attr($comment_author_url); ?>" size="22" tabindex="3" />
<label for="url"><small><?php _e('Website'); ?></small></label></p>

Alternatively in wp-includes/comment-template.php there is this:
$commenter = get_current_commenter();
and
foreach ( (array) $args['fields'] as $name => $field ) { echo apply_filters( "comment_form_field_{$name}", $field ) . "\n"; }

I can’t find the filters indicated in the loop, so my next thought is to attack the wp_get_current_commenter() function. If I override this function in my mu-plugins to make this function basically do nothing, this should break WordPress from even reading the cookies with no major repercussions, correct?

My site uses a content delivery network to attempt to take some of the load off our servers. Here’s what happens: user A visits a post and makes a comment, thereby having the comment cookies set. Now, user A navigates to another post which pre-fills the name and email address in the form. User B now visits this second post and because it’s cached by the CDN, user B now sees User A’s information. I need to keep this from happening.