Sign inBlogSupportContact
General

Set browser cookies from a WordPress macro

Remember visitor preferences. Mark a user as "seen the promo." Set a session flag. 365-day default expiry. Reserved WordPress cookie names blocked.

3 min read May 2026 set user cookie

Setting cookies from server-side WordPress is clumsy

You want a macro step that marks a visitor as "seen this offer" so a promo banner stops showing. In JavaScript this is document.cookie = "seen_promo=1". In PHP it's setcookie() with a carefully-constructed expiry date, path, and secure flag — easy to get wrong.

Worse: set a cookie named wp_user_session by accident and you can break logged-in sessions. setcookie() has no safety net for WordPress-reserved names.

What most people do instead

Call setcookie() in custom PHPEasy to typo expiry math. Easy to collide with WP-reserved cookie names.
Use JavaScript document.cookieWorks in browser, not in server-side macros. Can't set from a triggered backend action.
Mirror to session storage insteadWordPress doesn't use PHP sessions natively. Adds complexity for a cookie write.

A better way: safe cookie writes from a macro

Run set user cookie -name=cookie_name -value=value. Default expiry is 365 days. Pass -expires=0 for a session cookie. Reserved WordPress cookie names (anything starting with wp_, wordpress_, or PHPSESSID) are rejected.

Macro Builder
set user cookie -name=seen_promo -value=1 -expires=30
Cookie set
Active in visitor's browser
Name: seen_promo
Value: 1
Expires: 30 days
Reserved-name check: passedsafe
↑↓ navigate runesc close

Reserved names blocked. Names starting with wp_, wordpress_, or PHPSESSID are rejected — so a macro can't accidentally stomp on a logged-in session or break WordPress internals.

How it works

Wraps setcookie() with sensible defaults (path=/, secure + httpOnly when site is HTTPS) and a reserved-name blocklist. Default expiry is 365 days. Pass -expires=0 for a session cookie. Empty -value effectively deletes the cookie.

1
Set name, value, expiryPass -expires=<days>. 0 = session cookie, omitted = 365 days.
2
Reserved-name check runs firstWP-internal cookie names are rejected before write.
3
Cookie is in the visitor's browser on next responseVisible to JavaScript, subsequent requests, and get user cookie.
ParameterValue
-name(required)Cookie name (non-reserved)
-value(required)Cookie value (string). Empty value deletes the cookie.
-expiresDays until expiry. Default 365. Pass 0 for a session cookie.
Reserved prefixeswp_, wordpress_, PHPSESSID — blocked
FlagshttpOnly + secure auto-applied on HTTPS sites
Can be used in
Macro

Real example

You run a limited-time promo banner. After a visitor dismisses it, you want the banner hidden for 30 days. A JavaScript listener already exists — but you want the "seen" flag stored server-side so it persists across devices if the user logs in.

The macro triggers on "dismiss_promo" webhook from your frontend JS. Step 1: set user cookie -name=seen_promo -value=1 -expires=30. Step 2 (if user is logged in): update user meta -key=seen_promo -value=1. The banner stays hidden for 30 days on this browser, and forever on any device where the user is logged in.

Goes further with TrueCommander

Read cookies tooPair with get-user-cookie to read/write state across macro runs.
Sync to user metaFor logged-in users, also write to user meta so state follows them across devices.
Trigger-based cookie managementSet cookies on user_register, order_paid, form_submit — any event with a macro trigger.
Ready?

This is one of 91 commands. All included with every license.

Install in 10 secondsBrowse all commands
Related commands

You might also need these.

Get user cookie
Read a browser cookie by name
general
Update user meta
Write user meta safely with privilege protection
users
Redirect
Add a site redirect from path to path
general
Browse all 91 commands
Cookies. The short version.

Essential cookies keep the cart and theme working. Analytics only fire if you say yes. Read our policy.