Refactored Session usage with cookies #58
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #52 by refactoring the code to use cookies instead of sessions. We replaced all
session_start()-based state tracking with signed, HTTP-only cookies. Sessions turned every request into a “do-not-cache” hit, which broke performance on hosts that sit behind full-page caches (NGINX, Varnish, CDNs) and triggered a warning from the WP Plugin Review Team. Moving to cookies restores full cacheability while keeping user data on the client, and the scheme remains secure because each cookie value is protected with an HMAC derived fromwp_salt('auth')and bound to a lightweight device fingerprint.The new
PayButton_Statehelper now stores the user’s wallet address and unlocked-content list in two cookies that expire after seven days. Cookies are set only when their value changes (reducing cache-bypass headers), are flaggedSecure,HttpOnly, andSameSite=Lax, and are validated on every read. All previous$_SESSIONreferences and session headers were removed, so sites gain immediate compatibility with managed-WordPress caching layers without altering existing paywall functionality.Test plan: