First of all, two things.
1 Best forum plugin ever! Amazing work!
2 I'm by no means an expert in any of the real technical stuff.
Okay, I figured out that from all the plugins I run, WPForo is the only one that uses the PHPSESSID cookie. I also learned that this cookie prevents any form of caching from happening. No problem on the forum because all caching should be disabled on the forum paged anyway.
BUT, Once the cookie is placed, all the other pages of my website are not being cached anymore either!!!
The forum is part of a bigger website and it now hurts the performance of the whole website. I asked around and the advice I get from different people is this:
1. Change to another forum plugin that doesn't use PHPSESSID cookie.
2. Ask the developer of the plugin to change to a different method of storing user sessions.
3. Host the forum on a separate domain away from the website.
I do not want to switch to another plugin, WPForo is amazing. Hosting the forum on a separate domain would create a terrible user experience since I integrate the forum into different elements of the website. I don't want to ask users to move away from the website and login again for the forum on another website. Also that would make no sense for SEO.
So two questions:
Like talked about in this post https://wpforo.com/community/general-discussions/wp-foro-using-phpsessid-why/ by @jsprfrmn, are there any serious plans to change this in the very very near future?
Until then, is there anything I can do to stop WPForo from using the PHPSESSID cookie?
Thanks a million!
Thank you, @david_nova,
This issue is not general and it's only related to some cache solutions.
However, we're working on this and the PHP Session will be removed soon. I have no an exact ETA yet. At the moment you can disable the session by editing /wp-content/plugins/wpforo/wpf-includes/functions.php file. Find this code:
function wpforo_is_session_started(){
if ( php_sapi_name() !== 'cli' ) {
if ( version_compare(phpversion(), '5.4.0', '>=') ) {
return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE;
} else {
return session_id() === '' ? FALSE : TRUE;
}
}
return FALSE;
}
Change it to this:
function wpforo_is_session_started(){
return FALSE;
}
This will affect some notifications. So you may not see some notifications. For example after creating a topic, you'll not see a message in the top right corner "Your topic is successfully added" and so on. If the top right bubble notifications are important for you, you should wait for the removing PHP session in future releases. If these notifications are not important you can do the change provided above. This change only affects the top right green message box, nothing else.
Thank you @martin for your fast and helpful reply.
I applied your advice and changed the code. I'm a bit confused about the outcome, however.
First of all I created a staging environment and deleted all other plugins except WPForo, just to be sure the PHPSESSID cookie doesn't come from somewhere else. When I deactivate WPForo and inspect the site with dev-tools, none of the regular (non-WPForo) pages show a PHPSESSID cookie and varnish cache says HIT. Caching works.
When I re-activate WPForo, the same regular (non-WPForo) pages now load a PHPSESSID cookie and varnish cache says MISS. Caching doesn't work.
This is still happening after changing the suggested code and clearing all the caches including the browser cache.
I do see however, that after changing the suggested code, the green message bubbles in the top right corner are gone. I think that tells me that I changed the functions.php file successfully.
Why is WPForo still placing PHPSESSID cookies after all this?
Is there something else I can do?
Varnish caching does not seem to work whenever there is a PHPSESSID cookie present. The load speed of my regular pages improves with more than 3 seconds when varnish caching does work. Not a small difference.
Thanks again for your time.
Hi team Foro,
first of all I'm super grateful for the amazing work you guys do and I just want to let you know that I think WPForo is the absolute best forum plugin out there at the moment! I'm serious! And, anything I ask about removing User Session Cookies is in no way any criticism on the amazing job you guys do. I also bought almost all your add-ons when I first started using the plugin, just to support you guys (and because the add-ons are great of course) and I will keep doing that for as long as I use the plugin.
That being said, I hope my efforts can help me have a faster website for my visitors, maybe help the plugin be even more amazing, and potentially help a lot of users of the WPForo plugin to better understand this issue with caching that they might experience without even knowing it.
It took me months to figure out why my site was slow and caching wouldn't work. but, I found it. I did a lot of learning, and mind you, I'm still not an expert at all... so, please excuse any weird things I might say.
Here is what I learned:
The function 'wpforo_is_session_started()' called in a PHP file starts a unique user session by placing the PHPSESSID cookie locally in the browser of the visitor. If I understand it correctly the cookie is used to create a unique user session and store user data for the duration of that session (until the browser is closed and cookies are deleted). I also learned that Varnish Caching amongst most other caching solutions cannot serve the visitor any pages from the cache when there is a unique user session created by the cookie. Therefor when the cookie is present in the browser caching doesn't work and the pages are loaded in full from the server taking a lot more time. (in my case 4 seconds without caching instead of 1 second with caching).
For the forum-pages itself this is not a problem at all, no caching solution should ever cache the forum-pages because you guys did an amazing job providing internal caching and other stuff to make the forum super fast. I made exceptions for all forum-pages in my caching. That works perfect and I'm thankful for how fast you made the forum.
However, when the PHPSESSID cookie is placed in the browser by the WPForo plugin, it stays there. The caching solution I use (Varnish) sees the cookie and stops ALL caching. That means that when a user has the cookie stored in their browser, even the about page, blog posts, or home page which have nothing to do with the forum are not being cached anymore because the cookie is still in their browser. That, is the real problem I'm having.
The result: The forum-pages on my website are super fast because you guys took good care of that, but the rest of the website is super slow because the PHPSESSID cookie remains in the browser and no caching occurs anymore for the rest of the website for as long as the cookie is stored in the browser.
In my previous post I wondered why after changing the code like @martin suggested, the PHPSESSID cookie was still being placed by the plugin. I did some searching myself. I went through all the PHP files that belong to the plugin and found 4 more mentions of the function 'wpforo_is_session_started()' in other PHP files.
3x in class-notices.php
1x in wpf-hooks.php
I'm assuming these files are still placing the session cookie in the browser and creating the same caching problem for me.
My question is, can they be disabled in these two files just like @martin suggested for the functions.php file?
And if yes, then what code should I use there as a replacement and what features would that affect?
Also, are you going to address all of this in a future update so that the _session_started() is not used at all anymore by the plugin? I learned that besides caching issues this method also creates security issues. Most other plugins (Woocommerce, etc.) say they have stopped using this method because of that.
Again, no criticism. Just hoping I can keep using WPForo for ever and ever.
Your help and efforts are greatly appreciated and if nothing can be done at this moment and I have to wait for the update that's fine, I have patience. I just think it's good to keep an open discussion about this.
Thanks again for making this amazing plugin and taking the time to address this problem.
Hope you guys have a great weekend!
Thank you for the kind words @david_nova,
The code provided by Martin is the wpforo_is_session_started() function body. So if you've already removed the session_start from the body of this function it doesn't matter how many times and where you call that function it always works with your changed body. So there is no mean to remove calls of wpforo_is_session_started() function if the wpforo_is_session_started() body is already cleared.
I hope you see what I mean and you don't need programming skills to understand the way it works. Again, the function is declared once. Then you can call it wherever you want, it'll do what you've declared in the function body. So if you've removed the session_start in the function declaration it means there is no more session_start process in that function and all class from other files don't have the session_start too.
So I think the issue is not related to this. We should find other problem causer. The session_start is 100% removed by Martins code from the wpForo core.
Let's do some test by disabling wpForo Addons. First please disable these addons:
- wpForo Adnvaced Attachments
- wpForo User Custom Fields
- Go2wpForo Migration Plugin (if you have)
Then delete all caches, purge all cookies of your browser, close it (this is very important), open it again, and test it again with different browsers. Don't forget delete all caches each time.
If the issue is not fixed, disable all wpForo Addons and do the same.
This code replacement didn't resolve the issue for caching using SG Optimizer and the siteground.
Please keep posting in your topic and don't insert the table in the post. It makes all mixed. As It's already explained you should also deactivate addons. The changing of this code is not though. Once all is done make sure your browser cookies are deleted before testing. I close this topic to let you continue the discussion in your topic.
