ProfilePress uses the core WordPress function wp_signon() to log in users.
WordPress does the cookie setting.
If it only recently started happening, don’t you think it is from another plugin or source? How did you come to the conclusion our plugin is responsible.
The ModSecurity logs show that the rule is being triggered by this session cookie:
ppwp_wp_session
This cookie is set in this file, at lines 37-38 as follows:
src/Classes/PPRESS_Session.php
if ( ! defined(‘WP_SESSION_COOKIE’)) {
define(‘WP_SESSION_COOKIE’, ‘ppwp_wp_session’);
}
Also, the plugin was updated on my site to version 3.1.18 at around noon on 9/2/2021, and the first entry in the ModSecurity logs showing access being blocked to a user because of the triggered rule happened less than an hour after the plugin update).
In sum:
1. The cookie that triggers the problem set by a file in your plugin
2. The problem started right after the most recent update to your plugin
-
This reply was modified 4 months, 3 weeks ago by
Abigailm.
I see what you mean. Please open a ticket via https://profilepress.net/support/
And we will add a filter to the plugin disable it for you.
I can confirm I’m having the same problem
Hi,
I submitted a ticket regarding this issue five days ago to the link you posted, but haven’t received any kind of response. I am still experiencing the same problem.
How can I remedy this issue?
Please open a ticket @dannydover where we will provide you with a code snippet utilizing a filter we are yet to include in an update.
@collizo4sky I already submitted one ticket, but didn’t get any kind of response or confirmation that the ticket was received. Should I file a second ticket?
We didn’t get your ticket. Please submit it again.
Hi, I re-submitted the ticket to https://profilepress.net/submit-ticket/ but still haven’t received any confirmation that the ticket was received. I’ve tried this on two different computers on two different networks, both using the latest version of FireFox.
Were any of my tickets received?
To save us both time, the ticket is copied below:
After upgrading to the latest version of ProfilePress, my website started reporting a PHP Warning which indicates that a cronjob interacting with the ProfilePress plugin (wp-user-avatar) is causing a warning related to WP_Session::set_cookie.
Log entry below:
PHP Warning · Cannot modify header information – headers already sent by (output started at /var/www/vhosts/example.com/httpdocs/wp-cron.php:28)
[internal] setcookie
/var/www/vhosts/example.com/httpdocs/wp-content/plugins/wp-user-avatar/src/lib/wp_session/class-wp-session.php:135 WP_Session::set_cookie
My website doesn’t allow non-staff members to log in, so setting this cookie is not necessary for the vast majority of my traffic. How do I disable this?
We still didn’t get your message. I’ll check if it ended up as spam.
Anyways sorry about the issue.
Replace /wp-user-avatar/src/Classes/PPRESS_Session.php with the content of https://pastebin.com/raw/Ws3KYdW5
And then use the code below to disable it. Don’t worry, the next update will contain the filter.
add_filter('ppress_should_start_session', '__return_false');
Please enter the plugin in a plugin eg a site-specific plugin and not your theme’s functions.php file.
I’m seeing this issue with ProfilePress 3.2.5 also. Was a fix ever rolled out in a patch?
Use the code above to disable it.
Thanks for replying, but the pastebin linked above has expired.
