Session cookie set on all pages when PayPal payment gateway is enabled, interfering with caching

[haszari]

Describe the bug

When PayPal Checkout gateway is enabled, there's a session cookie on all pages. This can interfere with caching and slow down sites. If the gateway is disabled, the session cookie is not present.

This was reported by a customer in 3077952-zen

Is this expected behaviour?

Apologies if this is the wrong PayPal Checkout plugin – I see there are a few :)

To reproduce

I reproduced this on a test site.

1. Install and activate PayPal Checkout extension.
2. Go to WooCommerce > Settings > Payments and enable PayPal Checkout gateway.
3. Load any page on the site and check the cookies. When PayPal is enabled, all pages have session cookie.

Example:

% curl -I https://ephemeral-haszari-20200621.atomicsites.blog | grep cookie
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
set-cookie: wp_woocommerce_session_213ed8cc0aeadadb99ae9907aa1615cd=150ad3491699d1de2025d906c25bde3c%7C%7C1593053485%7C%7C1593049885%7C%7C0e16d49e8a6ce173e4c18bb25c6651cd; expires=Thu, 25-Jun-2020 02:51:25 GMT; Max-Age=172800; path=/; secure; HttpOnly

Expected behavior

Session cookies on eComm/user-related pages, e.g. cart, checkout, my account, and no session cookie otherwise.

Environment (please complete the following information):

• WordPress Version 5.4.2
• WooCommerce Version 4.2.1
• PayPal (Express) Checkout Plugin Version 2.0.2
• Browser [e.g. chrome, safari] and Version Safari latest, curl
• Any other plugins installed Akismet, Jetpack, Loco Translate, AvaTax, Bookings, Smart Coupons, Stripe

[achyuthajoy]

@haszari The cookie wp_woocommerce_session is not set by the PayPal Checkout plugin. It's set by WooCommerce for logged-in users and contains a unique code for each customer so that it knows where to find the cart data in the database for each customer. More about WooCommerce cookies here - https://docs.woocommerce.com/document/woocommerce-cookies/

Most managed hosting services exclude this cookie to prevent problems with WooCommerce Cart / Checkout functionality. I would suggest not to cache the WooCommerce cookies since it might break the users site.

[tullibo]

Seeing the same issue - session cookie is immediately set even without interaction with the cart and not being logged in as a user. Disable the plugin and the issue goes away.

[achyuthajoy]

@tullibo Thanks for the report. Can confirm this behavior. The cookie is added by PPEC to if PayPal is enabled on Single Product pages. By default WooCommerce doesn't set this cookie unless a product is added to cart, however for direct purchases from single product pages to work, the cookie should be set.

Here is the reference to the cookie code - https://github.com/woocommerce/woocommerce-gateway-paypal-express-checkout/blob/fb334293bbe0e822cf9fbeccd19e737253c1ece0/includes/class-wc-gateway-ppec-cart-handler.php#L593

We'll try to modify this behavior and limit the cookie creation on WooCommerce pages only instead of all pages

@haszari Sorry! I missed this when you reported the issue.

[claudiulodro]

I think https://github.com/woocommerce/woocommerce-gateway-paypal-express-checkout/pull/793 should solve the issue nicely. It's not perfect because product pages won't cache, but it should be a big improvement over the current situation.