How to set and check for cookies in WordPress


Cookies are little pieces of information that websites can store on your computer for reference later. For example, WordPress uses cookies to store your login session, so that you don’t have to log in every time you go to a protected page.

They can also be used for much simpler tasks, such as storing information about when a user has completed a form. In the example below, I’m going to show how to set a cookie in the user’s browser when they fill out a Gravity Form.

Setting a cookie

Gravity Forms has an action hook called gform_after_submission, which fires after a form has been submitted and committed to the database. We’re going to use that action hook to set the cookie, so that we know when a user has submitted the form. gform_after_submission can have a number appended to it to apply to a specific form, so in this case, I’m targeting the form with an ID of 1. This belongs in your functionality plugin:

The setcookie function is a PHP function, and the parameters in the function above are as follows:

  • form-1-complete – the cookie name. This is a descriptive name that you will reference when checking for the cookie, as you’ll see below.
  • 1 – this is the value of the cookie. I’m setting it as a 1 to notate that the form has been completed (as opposed to a 0).
  • strtotime( ‘+30 days’ ) – this is how long the cookie will be stored. Using strtotime allows you to set a time relative to when the function runs, as opposed to a fixed time, such as Dec 31, 2020. So in this example, the cookie will expire 30 days after the user completes the form.
  • The other four parameters you shouldn’t have to worry about, unless you want to specify whether the cookie should be available on HTTP or HTTPS exclusively.

Now every time form 1 is filled out, a cookie with the name form-1-complete and a value of 1 will be set in the user’s browser and it will expire in 30 days.

This is just an example of how to set a cookie, but you could apply to many more situations by tapping into the appropriate action hook.

Checking for a cookie

Now that you’re able to set cookies at will, you’re going to want to use them to perform an action at an appropriate point, perhaps to display a notice, or to provide access to previously restricted material.

To check whether a cookie is set in the user’s browser, we can look whether $_COOKIE[‘form-1-complete’] is set. Note that form-1-complete is the cookie name we specified above.

In the example below, I’ve combined checking for the cookie with a couple of other checks to hide premium content, unless all checks are met. So, if the post has a meta_key of ‘protected’ set to ‘yes’ (so that standard content won’t be affected), the user isn’t logged in (so that admins can always see the content) and the cookie ‘form-1-complete’ isn’t set (the form has not been filled out), then the user will have the content hidden from them, and a message displayed instead, indicating that they need to fill out the form. Otherwise, if any of those variables aren’t met (for example, if the user has filled out the form, meaning that the cookie form-1-complete is set and the user is a subscriber to your newsletter), then the content will be shown without restriction.

This is a powerful tool when you don’t want to rely on adding the information to the user’s profile (so that visitors are accounted for as well) to store information about a user and then use it to perform an action of some sort.

Of course, it’s not without limitations: cookies can be deleted and some users don’t even allow cookies to be set in their browsers. Then there’s also the EU (and maybe other jurisdcitions) cookie law that needs to be conformed to. So, consider this a tool in your belt that will work in some instances, but not in others.

7 thoughts on “How to set and check for cookies in WordPress”

  1. Ben says:

    Hi Dave,
    Thanks for the post! I’m trying to modify a plugin to use a session and a cookie so I can set the cookie to expire at a given timeframe. The plugin originally uses sessions, but I would like to be able to set and expiration and keep the session incase the users have cookies disabled. Would you be willing to take a look at the following code and see it makes sense. This may be way off, I’m still learning PHP.

    /* Place a session variable that marks the current visitor as having completed the specified goal */
    function completeGoal($goalName)
    $sessionKey = 'goal_' . md5($goalName);
    $sessionValue = 'goal_completed_' . md5($goalName);
    $_SESSION[$sessionKey] = $sessionValue;
    return '';

    if ($_SESSION[$sessionKey] = $sessionValue;) {
    setcookie( 'form-1-complete', 1, strtotime( '+30 days' ), COOKIEPATH, COOKIE_DOMAIN, false, false )};

    /* Returns true/false, indicated whether the specified goal has been completed */
    function wasGoalCompleted($goalName)
    $sessionKey = 'goal_' . md5($goalName);
    $sessionValue = 'goal_completed_' . md5($goalName);
    return (isset($_SESSION[$sessionKey]) && $_SESSION[$sessionKey] || isset($_COOKIE['form-1-complete']) == $sessionValue);

    1. Hi Ben,

      Thanks for the question. I’ve actually not worked with sessions before, so I couldn’t tell you if this is correct or not. You might want to check out Stack Exchange for an expert answer.

      1. Ben says:

        Thanks I posted it to stack overflow. Here is the link incase anyone has a similar question:

  2. naomi says:

    This was helpful. Thanks so much, Dave!

    I wanted to configure this so that text could be hidden and shown via a shortcode and not just the whole page. Here’s the code in case it’s helpful for anyone else too:


    //Setting a cookie for assessment submission
    function set_form_1_complete_cookie() {
    setcookie( ‘form-1-complete’, 1, strtotime( ‘+30 days’ ), COOKIEPATH, COOKIE_DOMAIN, false, false );

    add_action( ‘gform_after_submission_1’, ‘set_form_1_complete_cookie’ );

    // [hide_text]some text here – only for people who’ve submitted form[/hide_text]
    function hide_text_func($atts, $content=null) {
    extract(shortcode_atts(array(‘noatts’ => ‘Unknown’ ), $atts));
    $output = ”;
    if (!is_null($content) && isset( $_COOKIE[‘form-1-complete’] ) ) {
    $output = $content;

    return $output;
    add_shortcode(‘hide_text’, ‘hide_text_func’);


    1. Thanks Naomi. To retain the formatting and encoding, it may be better to post this as a gist or inside code tags

  3. Max says:

    Hello, and thanks for these instructions. :)

    If I understand correctly, this kind of protection still leaves the posts visible in the archives, and just protects the content.
    What if, for example, one wanted to COMPLETELY hide posts using this “cookie-technique”?

    What I’d like to achieve, basically, is replicating the behavior of “private” posts… except that I don’t want to make them really private. I need to be able to use the “private” post status for other things… like private content, for instance. :P

    The readers, in my scenario, should be totally unaware of the very existence of the protected posts, until the cookie is set.
    What code should I use?

    I’m building a site with this exact feature for personal use (a game with friends – I don’t want to bother anyone with the details but feel free to ask), and I’m getting this chance to learn something.

    I have an understanding of php and js of course, but at this point, I’m at a loss.
    “pre_get_posts” seems the way to do it, but I’m really not sure about the details.

    If you feel like helping, I’d be more than happy! :)
    I could probably figure this out, but I should mess around with code for a few days, probably.
    I mean a few more; it’s been a while already since I started. :D

    Oh, and sorry if I made mistakes, English is not my native language.

    1. Max, I’m not really sure what you’re trying to achieve, but you could definitely pull posts out of the main query on any given page using pre_get_posts with a conditional that checks for your cookie.

Leave a Reply