scriptygoddess

29 Jun, 2004

Forget User Info

Posted by: Jennifer In: WordPress my-hacks additions|WordPress scripts

When someone leaves a comment on a WordPress blog, a cookie is saved to their computer with the name, e-mail, and URI that they entered. This is quite handy for most people, but it may bother those who use public or shared computers. WordPress does not by default have a way for commenters to specify that they don't want their info saved to a cookie, so here's a way to do that.

Warning: This is not just a plugin. You are going to add a few lines to a core WordPress file. Just so you know.

2 files need to be modified: wp-comments.php (to put in the checkbox for "don't remember my info" and the "delete my cookie" link), and wp-comments-post.php (to ensure that the cookie isn't saved if the user requests that it not be), and you need to install a plugin to handle manual "delete my cookie" requests. (Just a side note, and this applies to anytime you need to modify an existing page, you should make backups of the wp-comments.php, and wp-comments-post.php page before you make your changes)

Step 1

Open up wp-comments-post.php and find these lines (89, 90 and 91):

setcookie('comment_author_' . $cookiehash, $author, time() + 30000000, COOKIEPATH);
setcookie('comment_author_email_' . $cookiehash, $email, time() + 30000000, COOKIEPATH);
setcookie('comment_author_url_' . $cookiehash, $url, time() + 30000000, COOKIEPATH);

Change those lines to the following:

if($_POST['forget_cookie'] == 'forget'){
setcookie('comment_author_' . $cookiehash, ", time()-60000, COOKIEPATH);
setcookie('comment_author_email_' . $cookiehash, ", time()-60000, COOKIEPATH);
setcookie('comment_author_url_' . $cookiehash, ", time()-60000, COOKIEPATH);
} else {
setcookie('comment_author_' . $cookiehash, $author, time() + 30000000, COOKIEPATH);
setcookie('comment_author_email_' . $cookiehash, $email, time() + 30000000, COOKIEPATH);
setcookie('comment_author_url_' . $cookiehash, $url, time() + 30000000, COOKIEPATH);
}

Save wp-comments-post.php and upload the new version.

Step 2

Add the following code to your my-hacks.php.

/*
Code Reference Name: Forget User Info
URI: http://www.scriptygoddess.com/archives/2004/06/29/forget-user-info/
Description: Deletes the comment cookie when ?forget_user_info=1 is passed to the URL
Version: 1.0
Author: Mark Jaquith
Author URI: http://www.txfx.net/
*/
if($_GET['forget_user_info']) { // User has manually requested that their cookie be deleted.
setcookie('comment_author_' . $cookiehash, ", time()-60000, COOKIEPATH); setcookie('comment_author_email_' . $cookiehash, ", time()-60000, COOKIEPATH); setcookie('comment_author_url_' . $cookiehash, ", time()-60000, COOKIEPATH);
unset($comment_author, $comment_author_email, $comment_author_url);
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-cache, must-revalidate');
header('Pragma: no-cache');
$location = $_SERVER["HTTP_REFERER"];
if ($is_IIS) {
header("Refresh: 0;url=$location");
} else {
header("Location: $location");
}
}

Step 3

Open up wp-comments.php.

Add this line, somewhere in the form section:
(You should also probably give the input a tabindex, and reorder any other input tabindexes that follow, so that your users don't become human pinballs when they press TAB to go to the next form element.)

<p>
<input type="checkbox" name="forget_cookie" id="forget_cookie" value="forget" />
<label for="forget_cookie">Do not save my info</label>
</p>

Add this line where you think it would be appropriate:

<?php if (strlen($comment_author) != 0 || strlen($comment_author_email) != 0 || strlen($comment_author_url) != 0) { echo '<p>Your info has been saved, but you may <a href="' . $_SERVER['REQUEST_URI'] . '?forget_user_info=1">delete your cookie</a> if you wish.</p>'; } ?>

Save your changes to wp-comments.php, upload the new version, and you're done!

24 Responses to "Forget User Info"

1 | a wolf angel is not a good angel » Hacking my way, badly

September 21st, 2004 at 4:10 pm

Avatar

[…] 2; wolfangel @ 12:10 pm I tried to add a "forget user info" hack (from scriptygoddess), but it seems to have screwed up something with the headers. O […]

2 | Code Novice

June 29th, 2004 at 9:36 pm

Avatar

WP: Forget Commenter Info Cookie
WordPress doesn't provide a 'forget info' option for commenters. Here's a method that will solve that problem. You will need to hack a WP file in addition to installing the plugin, so it's primarily aimed at experienced WP us…

3 | Neil Stead

June 30th, 2004 at 8:50 am

Avatar

Thank you!

I posted a question on the WordPress Support Forum about this 3 weeks ago – it's nice to find out how to do it!

4 | Neil Stead

June 30th, 2004 at 9:16 am

Avatar

OK, I should hace read this more carefully before posting a comment – I hadn't grasped the fact that it's for posting comments, rather than posting in general.

Still, it's a step in the right direction… Guess I might have to bite the bullet and try hacking some code myself!

5 | Jennifer

June 30th, 2004 at 9:24 am

Avatar

Neil – Yes, this bothers me too. I post from work sometimes (shh! Don't tell! LOL!) and I ALWAYS forget to logout. (scary) As well – at least in the past – sometimes it seemed like the browser was STILL remembering SOME of my info, even after logging out.

If I get some time, I will look into this. No guarantees – but I will try. In the event that you beat me to it – please let me know. I'm sure there are others who are interested in this as well. (If you figure it out – maybe I could convince you to do a "guest authored post" here?)

6 | Jennifer

June 30th, 2004 at 9:35 am

Avatar

FYI – just one more thing. My initial thoughts on this would be that you'd have to change the way WordPress is setting the cookies. ie – You'd need to use *session* cookies (AFAIK – those are the only (?) ones that go away when you close your browser, timeout, etc.). That's how I'd approach it. My only concern would be whether the rest of wordpress would recogonize those cookies (as if they're the "regular" cookies). If so – it should be an easy fix (possibly only one page). Otherwise – we're talking some massive changes. I might be able to play with this tonight… I'll keep you posted.

7 | Mark J

June 30th, 2004 at 3:38 pm

Avatar

Actually, all cookies can be set with an expiration date. The difference between a session cookie and a regular cookie, is that session cookies only save a session id to your computer. This session id has session info that is stored on the SERVER and is only related to the user by means of the session id. Sessions have an expiration date, but it is enforced on the server side. So if you've been idle too long and try to access something, it will give you a "sorry, you're not logged in" message because the session has expired (even though the cookie may not have).

Using PHP, there is no way to directly delete a cookie. You cannot directly control it. In order to delete a cookie (and you can see this in my hack above), you have to set the cookie with an expiration date in the past. When the browser sees this, it should automatically delete it (but then again, it doesn't HAVE to).

If you wanted a little more privacy when authoring in WordPress, you could go in and change the expiration date set in the cookie.

Currently, WordPress sets the cookie to expire in one year (literally, time() + 31536000 seconds).

Open up /wp-login.php

Edit these lines:

123 setcookie('wordpressuser_'.$cookiehash, $user_login, time() + 31536000, COOKIEPATH);
124 setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time() + 31536000, COOKIEPATH);

Just change 31536000 to something different. If your brain can't multiply by 60 (to convert minutes to seconds), you can just enter in something like:

time() + 60*30,

which would set the cookie to expire in 30 minutes.

Make sure you edit the right lines… the LOGOUT lines set the cookie to time() – 31536000 (ie, a year ago), so make sure you edit the ones with the cookie set to expire one year in the FUTURE.

8 | Andrew

June 30th, 2004 at 3:47 pm

Avatar

Sessions cookies are regular cookies, in general. If I recall correctly when I was last digging around in the WordPress code, there was no check to see that the cookie had an expiration date set (that's the only difference between a regular cookie and a session cookie). Usually it only makes a difference to the browser, not to the server.

9 | Andrew

June 30th, 2004 at 3:57 pm

Avatar

As indicated at http://www.php.net/manual/en/function.setcookie.php you can pass NULL instead of the
time() + 31536000
to setcookie()
and that will make it a session cookie.

10 | Mark J

June 30th, 2004 at 5:37 pm

Avatar

Andrew: if you set a cookie expiration to NULL, it will be deleted at the end of the BROWSER session. As soon as you close that browser window (or the whole browser program, depending on the browser), the cookie is deleted. This is different from a PHP session. A PHP session is data stored on the SERVER, and linked to a user by means of a session cookie.

Some times also maintain PHP sessions without cookies… by appending the session_id to each and every internal UR L (which us very tedious from a programming standpoint).

PHP sessions have expiration dates. If you don't set one, it is usually 30 minutes. After a PHP session is expired or destroyed, the session cookie it set on the user's computer is worthless, because it refers to a session that no longer exists. As well, the cookie contains no user info (user name, encrypted password, etc), only the worthless PHP session id. Of course, a PHP session cookie can have its own expiration date, but it would be silly to set it to expire before the PHP session expires.

WordPress does not use PHP sessions. It merely sets a cookie with your username and your md5'd password. The expiration is set one year in the future.

If you changed that expiration value to NULL, the cookie would be deleted every time you closed your browser (really good for the paranoid).

11 | Jennifer

June 30th, 2004 at 8:04 pm

Avatar

What would be better – is (like MT did) if you check a box that says "remember my login" – it sets the cookie as normal – if not, then it sets it as null so it will expire when you close your browser (which would be good for shared or work computers)

13 | Carthik

July 1st, 2004 at 12:33 pm

Avatar

Maybe this can be sent to the devs for consideration too. Nice hack.

14 | Mark J

July 1st, 2004 at 10:16 pm

Avatar

Thanks Carthik. I e-mailed Matt a link a few days ago.

15 | typedby.com

July 2nd, 2004 at 5:44 pm

Avatar

Forget user info
I implemented a Scriptygoddess hack that allows people who comment on this site to delete their user info (name, email and site address) after posting a comment. This feature is for those people who use a shared computer and want to make sure that th…

16 | Andrew

July 3rd, 2004 at 12:21 pm

Avatar

Mark: my reference to setting cookies with null timeout (and hence closing at the browser session) was in reference to those that blog from work (posting in general) and would like to not have to worry about forgetting to log out – my apologies for not making that clearer.

17 | Mama Write

July 7th, 2004 at 8:01 pm

Avatar

Various WordPress Links
Rather than ping ScriptyGoddess multiple times and clog my sideblog with even more WordPress links, I decided to plop 'em all here. I'm going to give WordPress a try again on my course website, since there are various hacks that…

18 | james

November 11th, 2004 at 6:43 pm

Avatar

Hi,

I just found this guide and can't seem to get it to work. Any chance you can help me out?

I change the code as suggested.

setcookie('wordpressuser_'.$cookiehash, $user_login, NULL, COOKIEPATH);
setcookie('wordpresspass_'.$cookiehash, md5($user_pass), NULL, COOKIEPATH);

but I still am permenently logged in, even after I close my browser. I am using wordpress 1.2.1

Is that all there was to it? or am i missing something?

Thanks!

19 | james

November 11th, 2004 at 6:45 pm

Avatar

oops, wrong section, sorry. was asking about the main login.

20 | Mark J

November 11th, 2004 at 6:48 pm

Avatar

James, you may need to flush the old cookie from your browser's cache

21 | james

November 14th, 2004 at 9:47 pm

Avatar

Thanks Mark J, but still does not work. I am actually just trying to work with the user login so that the next person who uses the computer cannot enter the admin area. But even after dumping my cookies it seems if I log in and close my browser, when I open it again I can go straight into the admin area without logging in.

This is a huge issue to me because the whole point of my weblogs are for people who are traveling to us it, so as it is, every computer in every internet cafe they use now has access to the admin area (if they forget to log out, which is very likely).

Well, I am going to keep looking for a fix to this problem. Thanks for the help.

22 | james

November 14th, 2004 at 10:19 pm

Avatar

sorry for so many comments!

just wanted to let you know that it actually does seem to be working now.

my only guess is that I was doing something in the wrong order when I was deleted my cookies or I had another window open.

anyway, thanks for the advice!

23 | Mark J

January 6th, 2005 at 6:12 pm

Avatar

Just a little update for people using themes in WordPress 1.3 or above:

Instead of editing wp-comments.php you'll have to edit comments.php in your theme directory. If it isn't there, just follow the directions like normal.

24 | Patrick

January 10th, 2005 at 11:13 pm

Avatar

Hi there!
I was just wondering if there is any way to adjust the comment cookie? It seems that wordpress comments only remember a commentor for a day, I would like to increase this so regular commentors don't have to keep typing their details in. Is it possable?

Featured Sponsors

Genesis Framework for WordPress

Advertise Here


  • Scott: Just moved changed the site URL as WP's installed in a subfolder. Cookie clearance worked for me. Thanks!
  • Stephen Lareau: Hi great blog thanks. Just thought I would add that it helps to put target = like this:1-800-555-1212 and
  • Cord Blomquist: Jennifer, you may want to check out tp2wp.com, a new service my company just launched that converts TypePad and Movable Type export files into WordPre

About


Advertisements