I’ve developed quite some wordpress plugins which use a user system incl. login, logout etc. features using PHP’s $_SESSION superglobal.
Now I’m stuck in a project where the client does some sensitive request authentications using $_SESSION data, hence the need of some custom cookie parameters, like HTTPOnly, SameSite, etc.
I’m just confused now that when I call session_start() on the top of a page, and then, immediately afterwards, do sth like:
setcookie(
session_name(),
session_id(),
[
'expires' => time() + 600,
'path' => '/',
'domain' => 'localhost',
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]
);
The according cookie parameters are NOT set (I can see in the dev tool, under (Chrome) Application -> Cookies -> go to the session cookie of the page), that the according httponly and secure flags are NOT being applied to the session cookie. Why is that so?
Note: The page is in newbie development, there’s no plugin installed, so anything hampering this may come from the wp core..?
No matter where I call this; page templates (first line of code), functions.php, it never works.
UPDATE
I forgot that http headers are obviously sent before any output and placed the cookie callbacks in the page templates sending output, so will try to call the function earlier now.. Although I actually am calling the cb at the very top line of the page templates, so not sure..