Set cookie – headers already send

Sometimes this is a bug in another plugin or the theme, outputting something when it shouldn’t and example may be a closing ?> in php followed by some blank lines of a blank line before and opening <?php

I’m assuming here that you dont have control over the client sites, access to debug, or knowledge of their plugins and themes ( e.g. like a plugin developer ? )

You could try a lower priority on the hook

Or try an use a much earlier hook in the hope that what ever is outputting is not doing it that early – depending on what you need youcould go as early as muplugins_loaded

add_action( 'init', 'my_cookie', -1 );

You could try using the “wp_headers” filter to add your own Set-Cookie: header to all of the other WP headers about to be sent. If some other code generated output before this, it’d break all other WP header functionality.

I’ve not tested this to ensure it’s feasible, but I’m reasonably confident it’ll work. Even if it works, IDK if it’s an acceptable practice for inclusion in the WP plugin repository.

N.B: this is only feasible from plugins, themes load too late for this to work.

Hi,

Thank you both!
Thought about it a little more. As BC may already know I was testing with setting a cookie that stores an unique ID for my sum-captcha session. With that ID I was retrieving the correct transient from database. But cookies might be blocked or other plugins might cause the “headers already send” issue, so maybe I should look for something else.

Guido

Out of interest why to you need a cookie to store the result? Are you trying to get persistence across user sessions?

Cookies are not loved by AdBlockers, privacy focussed browsers and many countries privacy laws so an alternative solution sounds a good idea.

Hi Alan,

Thanks, will look for something else!

Form has a sum you must solve. I’m using a transient to store the sum values. I don’t want the sum to change when form has filled in incorrect and page is reloaded again. It should not change before submission is successfully send. At that point I delete transient. So yes, persistence.

By the way, WP itself stores a few cookies so did not see a privacy problem. Mostly because it’s only a session cookie that expires upon screen closing. Did not test this with adblocker though.

Guido

So a multi form form? What about

Generate a maths sum / result
Store in transient
Generate first form with the matchs input
On submission check result
If OK generate the second (first with errors) form – but this time put the correct result in a hidden form field instead of input
and also put in a random nonce to stop submission without the first form submission
Captcha will pass for the second form

Is this a custom form or a package

Or dont use math captcha technique to try and stop bots use a different technique ( I would tell you, but as an author of an anti spam plugin I dont want to give all my secrets away in public )

• This reply was modified 1 year, 5 months ago by Alan Fuller.
• This reply was modified 1 year, 5 months ago by Alan Fuller.

Is that for VS Contact form? ( makes note to self to add that to the list of form plugins for my Anti Spam to protect )

• This reply was modified 1 year, 5 months ago by Alan Fuller.

Hi Allen,

Yes that’s the one. I’ve already added multiple things to avoid / reduce spam, but a sum may give plugin an extra layer of protection. I prefer to use the same transient throughout whole submission process, to avoid a new transient is generated upon every page load.
But in a previous thread I’ve already received some tips and tricks, so I don’t want this thread become a (kind of) duplicate of my previous one ??

Guido

I dont think that thread gave you an answr just led you to cookies.

Actually I’m not even sure why you need tansients for maths captcha

You know the sum when you generate the form
e.g. what is 3 + 4 = input type=number name=answer
so you also just generate a hidden field name=check with the answer or if you are really worried bots will read than ( unlikely ) you could obsurce that with a formula like answer * 18 -3
On form validaton
if name=check (adjusted) matches input name=answer great but is form fails validation then output input type=hidden name=answer or if you are obsuring use and check a different hidden field e.g. input type=hidden name=answerobtuse

• This reply was modified 1 year, 5 months ago by Alan Fuller.

Hi Alan,

Sending the answer or sum values as hidden field(s) is a no-go, because in this case you can resend form over and over again, by using an interceptor / repeater. I was doing this, but was informed about this vulnerability and therefore had to update plugin.

Guido

True. It is all avaibale in the dom so only serves to fool less sophisticated scripts.

Can also look into localStorage to store my unique transient ID. Using a PHP session is not recommended by WP, so that’s not an option.

Update: it has drawbacks: not very secure and no easy expiration.

Guido

Update: it has drawbacks: not very secure and no easy expiration.

Using sessionStorage instead of localStorage or a cookie might be a better idea. Expires when browser window is closed.

Guido

Wondering why not use $_SESSION for this case? Never heard saving captcha answers on client side. Using transients is not efficient as well, as that should perform DB query per page load & bloat your DB if you get a large number of visitors to the form (potentially bots).

Hi Sohan,

I thought that using PHP sessions within WP is not recommended, because of possible conflicts between plugins and servers that don’t allow the use of them. That’s why Transients are available, although this can result in many DB queries indeed. But I may be wrong?

Guido