How to change WordPress cookies to be session-only

I don't want my WP site to set any persistent cookies. Session cookies while I'm logged in are all I want to allow. I don't want to have to ask visitors for consent, so I need to be sure that none are set. Unfortunately WP makes this difficult.

I see that the wp_generate_auth_cookie function requires an expiry timestamp, so it's not capable of setting a session-only cookie. Amongst the cookies that are set by WP, one is curious. wordpress_test_cookie is the only one set without an expiry – so WP is clearly capable of doing this. It's curious that this particular cookie is set as session-only, which may mean that its utility as a cookie setting check is limited.

How can I persuade WP to not set cookies like that? It's also common for plugins to set cookies without consent or warning, and I want to be able to block them from doing so too.

I'm also looking at an alternative way to deal with this: use Lua scripting in my nginx reverse proxy to modify or delete cookies as they pass by, stripping expiry values from them, and possibly ensuring that all http-only, secure, and sameSite flags are set.

Yes, I am fully aware that this may compromise some aspects of using WordPress, and some plugins will break, but visitor privacy and the law takes precedence.

Are there plugins or other solutions that can help with this?

Topic session privacy cookies Wordpress

Category Web

1
answered at

The wp_generate_auth_cookie() function is a pluggable function, meaning you can define a function with the same name in a plugin and your version will be used instead of the WordPress core function.

The number of pluggable functions is limited, however. If you want a broad solution that works for all cookies, your lower-level Lua approach will be a better option.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.