Search the Community

@Jim Bailie This seems like a good question for ChatGPT, at least to get a starting point. I asked it if it could convert .htaccess to nginx and it said: So I uploaded this v1 ProCache ruleset from one of my site (I replaced product key with "xxx" for this example): # PROCACHE vfd31e36cd7ffdab982312621683b6fee RewriteCond %{REQUEST_METHOD} !=POST RewriteCond %{QUERY_STRING} !.*=.* RewriteCond %{HTTP_COOKIE} !^.*(wire_challenge|wires_challenge).*$ RewriteCond %{DOCUMENT_ROOT}/site/assets/ProCache-xxx/$1/index.html -f RewriteRule ^(.*) %{DOCUMENT_ROOT}/site/assets/ProCache-xxx/$1/index.html [L] # /PROCACHE And it gave me this: # PROCACHE vfd31e36cd7ffdab982312621683b6fee equivalent for Nginx location / { # Skip cache if POST request, query string present, or cookie contains wire_challenge / wires_challenge if ($request_method = POST) { break; } if ($query_string != "") { break; } if ($http_cookie ~* "(wire_challenge|wires_challenge)") { break; } # Serve static cached HTML file if it exists if (-f $document_root/site/assets/ProCache-xxx/$uri/index.html) { rewrite ^(.*)$ /site/assets/ProCache-xxx$uri/index.html break; } # Default: pass to ProcessWire (index.php) try_files $uri $uri/ /index.php?$query_string; } # /PROCACHE I have no idea if it's nginx version works or not, but seems like it might be a potentially good way to convert something like this.

Triggering Custom JS function Hi folks, I'm using Privacywire on a number of sites and it;s working well, thank you! With Microsoft Clarity now moving to requiring a consent signal on cookie acceptance I had hoped to run a signal function for this with the 'Trigger a custom JS function' setting in Privacywire's config (right at the bottom). However, having declared a test function (to just console.log something) higher up in the page script files, and adding the function name into the Custom JS function field in Privacywire, I can't get the function to run when cookies are accepted. I have tried both the function name (e.g. 'myFunction') and with brackets (e.g. 'myFunction()') but neither seems to work. Anyone tried this and got it to work? Thanks for any help!

I embed youtube videos and google maps into my site in various ways. To make the site privacy compliant, I would like to display an overlay above each video and map with a button “Load content” (loads the content once) and “Always load content” (sets the corresponding privacy wire cookie an loads the contents always). Is there already a solution for this? What is the best way to do this?

Hello Fire, I can see you've put a lot of effort in helping to solve this so thanks for that, here is all the data from Firefox debugger: Headers Response: HTTP/2 504 server: nginx date: Wed, 23 Apr 2025 14:56:32 GMT content-type: text/html content-length: 160 X-Firefox-Spdy: h2 Request Headers POST /control/page/edit/?id=1&InputfieldFileAjax=1 HTTP/2 Host: poeshappyplace.co.uk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd X-FILENAME: Untitled-2.png X-FIELDNAME: upload Content-Type: application/octet-stream X-TOKEN1027973821X1745402814: siSF1CH8q.0WZrbaHLdq0L0z.LhNvGRm X-REQUESTED-WITH: XMLHttpRequest Content-Length: 17481650 Origin: https://poeshappyplace.co.uk Connection: keep-alive Referer: https://poeshappyplace.co.uk/control/page/edit/?id=1 Cookie: pagelist_open=JSON%5B%221-0%22%5D; wires_challenge=Fe1sdoBFEE6xRXKvRdBmNztesp%2FtkiDf; wires=659c1ebb45dd2830f72c4db8969fc57f; cpsession=%3aoH5Knnk_sYcRqUrk%2c8bdec0a2f45dd7304be705768bc383a6; timezone=Europe/London Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin TE: trailers Stack Trace uploadFile https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:8629 traverseFiles https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:10645 InitHTML5/initHTML5Item/< https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:10818 (Async: EventListener.handleEvent) initHTML5Item https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:10765 InitHTML5/< https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:4113 each https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:4048 each https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:1235 InitHTML5 https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:4034 <anonymous> https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:13726 fire https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:43765 fireWith https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:44935 ready https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:47825 completed https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:48339 (Async: EventListener.handleEvent) jQuery.ready.promise https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:48608 <anonymous> https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:49098 <anonymous> https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/ JqueryCore.js:1:261 <anonymous> https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:272 Seems like it's timing out after the download at which point i assume it's doing the database interaction, it doesn't write an error to any of the logs, it just times out. One host has confirmed that they are recoeving a ReceiveAckHdr: timeout 300 is exceeded error in their logs, their ReceiveAckHdr is set to 5 minutes which i would have thought would be more than enough, i can confirm this as in developer tools i can see that: https://poeshappyplace.co.uk/control/page/edit/?id=1&InputfieldFileAjax=1 sits there for about five minutes before returning a 501 timeout error, i hope this helps and if you require any further information to debug this, thank you for helping me with this. Thanks, Mark.

I'm not sure in which cases specifically, but the menu sometimes needs a cookie/cache reset as well. I'm always using Tracy Debugger for that:

The error message in the session cookie will be displayed in the console results pane on page reload - it's not logged because it will only ever be populated from code that is run in the console panel.

Ah, sorry to mix the two things together. The download issue was backstory on why I was looking in the console and happened to see the error found within the session cookie string. The actual question related to Tracy was how I might be able to expose that error message (from the session cookie) in a log, if at all. I was thinking it was remnant files/folders from prior module versions that were upgraded, but if they're intended to be there, then I have no need or desire to remove them. Thanks for the quick clarification there!

@BrendonKoz - the tracyCodeError cookie is only ever set by the Console Panel so I think that might not be related at all to the download issue. In fact I am not Tracy will be able to help you with that because the html download attribute isn't PHP. Or am I missing something? As for the tracy-2.x folders - each is a different version depending on the version of the PHP you are running: https://github.com/adrianbj/TracyDebugger/blob/d48ebdc0d962c34042651f82b388df93e872ab81/TracyDebugger.module.php#L355-L366 You can delete the unused ones if you want, but they'll just come back next time you update Tracy. May I ask why you want to delete them?

This module is very much work in progress, but I wanted to get it out as soon as it is somewhat useful, so here we go: say hi to Cookie Table. Cookie Table is essentially a module for managing a list of cookies used on a site. At least around here in Finland it is a necessity to have a list of cookies, regardless of whether they are ones that you need a specific permission for. This list should include key details about each cookie, including name, purpose, and duration. Cookie Table is used to manage this data in the admin, and once you've set up a list of cookies, you can render it on the front-end as a table: echo $modules->get('CookieTable')->render(); ... or using your own custom markup: $cookies = $modules->get('CookieTable')->getCookies(); foreach ($cookies as $cookie) { echo "Cookie name: " . $cookie['name'] . "<br>"; } Now, the reason I'm saying that it's a work in progress — even though it does what I've outlined above — is that there are a lot of things I want to add still. At the moment it is mostly a tool for managing some data in the admin, which is something you could just as easily do via pages, or even simple CKEditor / TinyMCE field. What I am mostly interested is adding some automation: Crawling the site, or at least most important pages, and automatically detecting used cookies Integrating the module in whatever way makes most sense with PrivacyWire Integrating the module with existing cookie databases Adding some way to push/pull updates via web API Once one or more of aforementioned features have been added, I can definitely say that this module is worth its weight 😉 Cookie Table on GitHub Install via Composer: composer require teppokoivula/cookie-table

Hi @joshua, I am getting the following error while trying to implement cookie consent for a Youtube iFrame: Uncaught TypeError: "text/javascript".poster is undefined What am I doing wrong? I tried both Ryan's TextFormatterVideoEmbed and manually adding all the attributes. All works fine but the src of the iframe is never resolved which I guess is due to the error above. Any help is appreciated thanks Edit: I am pretty sure this is caused by an error/missing semicolon in the PrivacyWire JS. Not sure how this works for anyone??

I put the styles for it in the head section of my html/_main.php manual in a <style>-tag. For example: <style> /* Cookie Banner */ .show-banner>.privacywire-page-wrapper, .show-options>.privacywire-page-wrapper, .show-message>.privacywire-page-wrapper { position: fixed; left: 0; top: 0; right: 0; bottom: 0; background: rgba(0, 0, 0, 0.6); backdrop-filter: blur(5px); display: flex; justify-content: center; align-items: center; } .privacywire { display: none; } .show-banner .privacywire.privacywire-banner, .show-options .privacywire.privacywire-options, .show-message .privacywire.privacywire-message { display: block; position: relative; left: auto; right: auto; bottom: auto; max-width: 850px; padding: 2rem; color: #000; background-color: #fff; } .privacywire-page-wrapper input { margin-right: 0.5rem; } .privacywire-page-links { margin-top: 1rem; } .privacywire-buttons button, .privacywire-page-links a { margin: 0.5rem 0.5rem 0.5rem 0; } @media screen and (min-width: 992px) { .privacywire-buttons button, .privacywire-page-links a { margin: 0.5rem; } /* Don't give the first button margin-left */ .privacywire-buttons button:first-child, .privacywire-page-links a:first-child { margin-left: 0; } } </style> So it loaded as first. That resolved it for my sites. (Also with fixed/relative notation)

hi .. Unable to log into ProcessWire admin dashboard. After submitting valid credentials, the URL changes to /dashboard, but the login form reloads without errors. The system throws: ProcessLogin: This request was aborted because it appears to be forged. Observed Behavior: No error messages (e.g., "wrong password"). CSRF token validation failure (request appears forged). Login form reloads instead of redirecting. Environment Details: PHP Version: 8.2 Server: plesk with custom .htaccess. Key Configurations Checked:config.php: $config->sessionCookieSecure = true; $config->sessionCookieDomain = '.alfalgroup.com'; $config->protectCSRF = true; $config->debug = true; .htaccess: Custom rules overriding session/cookie security. Headers unsetting cookies (Header unset Set-Cookie). PHP directives forcing insecure cookies (session.cookie_secure 0). Steps Taken So Far: Cleared sessions/caches (site/assets/sessions/, site/assets/caches/). Updated .htaccess to enforce HTTPS and remove conflicting directives. Verified file permissions (755 for directories, 644 for files). Temporarily disabled CSRF protection ($config->protectCSRF = false), but issue persists. how fix please

Hey @Sebi, I had zero problems for several months, but today a client told me that a site, that was working perfectly, suddenly stopped working. I have a SvelteKit WebApp that uses PW as API with AppApi and all other routes are working fine (status code 200, correct json) except of those called via /api/page/... The (API) webserver gives a status code 500, although outputting correct json: curl -v -H "Origin: https://domain.com" https://api.comain.com/api/page/touren * Trying XX.XX.XX.XX:443... * Connected to api.domain.com (XX.XX.XX.XX) port 443 (#0) * ALPN: offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN: server accepted h2 * Server certificate: * subject: CN=api.domain.com * start date: Dec 9 14:27:01 2024 GMT * expire date: Mar 9 14:27:00 2025 GMT * subjectAltName: host "api.domain.com" matched cert's "api.domain.com" * issuer: C=US; O=Let's Encrypt; CN=R10 * SSL certificate verify ok. * using HTTP/2 * h2 [:method: GET] * h2 [:scheme: https] * h2 [:authority: api.domain.com] * h2 [:path: /api/page/touren] * h2 [user-agent: curl/8.1.2] * h2 [accept: */*] * h2 [origin: https://domain.com] * Using Stream ID: 1 (easy handle 0x14c00c600) > GET /api/page/touren HTTP/2 > Host: api.domain.com > User-Agent: curl/8.1.2 > Accept: */* > Origin: https://domain.com > < HTTP/2 500 < server: nginx < date: Thu, 09 Jan 2025 23:51:40 GMT < content-type: application/json < expires: Thu, 19 Nov 1981 08:52:00 GMT < cache-control: no-store, no-cache, must-revalidate < pragma: no-cache < x-powered-by: ProcessWire CMS < access-control-allow-origin: https://domain.com < access-control-allow-headers: Content-Type, AUTHORIZATION, X-API-KEY < access-control-allow-credentials: true < x-original-status: 200 < set-cookie: wires=krcrpn4pn6v9pc16mbqXXXXXX; path=/; secure; HttpOnly; SameSite=Lax < x-frame-options: SAMEORIGIN < x-xss-protection: 1; mode=block < {"last_modified":1729504403,"tours":[{...}]... (json is fine) I tried a lot, but there is nothing in the logs indicating a solution. Maybe you have an explanation or can give me a hint? This was working perfectly fine for more than a year and suddenly stopped working, although nothing (PHP version, PW version, code) changed in the last few months (at least nothing that I am aware of). Any help is appreciated. Thanks, Flo

Hi, I have clients using a processwire site from with other applications (eg browsers in those apps) previously the site was locked down on IP ranges and login was not required. Now that is changed and login is required. One of the clients now get 500 internal server error when trying to login. I think it is related to the session cookies. This is what I've tried: In httpd.conf: Header always set Content-Security-Policy "frame-ancestors 'self' client1.domain.com client2.domain.com"; This I can see also see is set by looking at the headers. Then I'm trying to set SameSite=None wich I can't get to be working, I've tried: In .htaccess: Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=None In site/config.php: ini_set('session.cookie_samesite', 'None'); and... $config->cookieOptions = [ 'secure' => true, 'samesite' => 'None', ] But still cookies looks like this: Does anyone have an idea why the cookie options seems to be the same, no matter how I configure above? And do you believe I'm on the the right path solving the issue or can it be something else? Running an old Processwire 3.0.123-0 Thanks

Hello Everyone, For our KIT325 Cybersecurity Project, we recently checked the security of ProcessWire CMS, a system used for managing website content. We wanted to see if its default settings are secure enough based on the OWASP Top 10 standards, which are common web security guidelines. Here’s a quick look at what we found and what could be improved: Blocking Brute Force Login Attempts: What We Found: ProcessWire does slow down login attempts if someone keeps trying the wrong password. But it only blocks based on username, not by tracking where the login attempts come from (like IP addresses). Suggestion: It would be safer if ProcessWire blocked login attempts based on IP as well. Also, the system could use a response code like “429 Too Many Requests” to alert attackers that they’re being blocked. Session Cookie Security: What We Tried: Session cookies (used to keep users logged in) seem secure, but we couldn’t fully test if they were safe from all advanced attacks. Future Testing: We’d need more tools and knowledge to explore if these session cookies could ever be forged to trick the system. File Access Control: What We Saw: Files from unpublished pages could still be accessed if someone knew the file path, which could leak private information. Fix: ProcessWire should make a certain setting ($config->pagefileSecure) enabled by default to restrict file access based on page permissions. This way, only authorized users can see those files. HTTPS (Secure Connection) Enforcement: Current Setup: ProcessWire requires HTTPS (secure connection) settings to be turned on manually in the .htaccess file, which may not be done by every user. Recommendation: It would be better if HTTPS were enabled by default, so all sites are secure right from the start. Improving Activity Logs: Missing Logs: Some important activities like content changes and role updates aren’t logged by default. Suggestion: ProcessWire should add logs for these actions. This way, any unusual activity can be tracked and traced back to the user who made the changes. Password Rules: Issue: Passwords set through the API (another way to interact with the system) might not meet the same security rules as those set in the admin panel. Improvement: ProcessWire should require all passwords to meet the same standard, ideally making them at least 12 characters long and easier for users to remember. Overall, ProcessWire has a strong security foundation, but these adjustments could make it even safer. This experience showed us the value of secure default settings, especially for users who might not make these changes on their own.

@benbyf Did you consent to the cookies? We use Termly to manage our cookie settings and permissions. If you don't consent to all the cookies, you will get the errors (on all pages, not just the booking form). If you click on the 'Consent Preferences' in the footer, you will be able to accept all cookies. Please try that and see if you can submit the form. TBH, adding the consent stuff is sometimes a pain, since not accepting sometimes break scripts in non-obvious ways.

Good day! I've got one of my sites security checked and this is the stuff (they say) I need to fix: I can see that "Domain" is set to current domain that makes it the same as it was missing, but those who check do not know that. Can I remove Domain attribute from the cookie? It seems like I can't do it via config. As far as I understood reading this, I need to add "__host-" to all the cookie names. I can rename "wire" to "__host-wire" in config, but is there a way to apply it all cookies set by PW automatically? Or maybe I do not need it for anything but session cookie. Can't get my head around it (( Thanks)

Besides your workflow makes me feel a bit uncomfortable with all that raw HTML in input fields, and things like that, I struggle to really understand what pages you are looking at for changes you made and how you look at them and test them. You mention the change of session keys, which only happens in case the session changes, which is rarely the case while working in the backend. There could be of course things like enabled developer tools in the browser, using a CDN on the website, and maybe even code you use in your custom login screen. To make it clear: Usually working in the backend should NOT take two tries to save a change. That's rarely an issue someone would face. I can happen, when for example you are behind a VPN (like in Opera, without knowing), cookie blockers, adblockers, and even a not so perfect setup of Cloudflare CDN that tries to cache everything in your backend. To get you going: is this a local or remote setup if local: what kind of setup is that? (DDEV, Laragon, Docker, Custom) can you post screens of your editing and testing pages (so we know where you actually are in ProcessWire)

@cpx3 You store the products in the session or a cookie, you don't need the session_id to do that.

AJAX Voting: You can now submit ratings without refreshing the page. Cookie Checking: It checks if a user has already voted by using cookies. Hover Effect: A hover effect has been added. If a user has already voted, the hover effect will be disabled for them. It needs some work b efore it’s ready for use on sites. Update: I've updated the code to store the average rating, vote count and rating sum in a separate table. Now it retrieves the data directly from this table instead of recalculating each time StarRating.module.php StarRating.module.php

I'm creating a star rating system for PW. I haven't found one. I would greatly appreciate your feedback. Star Rating Current Features: IP Checking: Prevents multiple votes from the same user. Displaying Stars and Rating Form: The star ratings are displayed on the pages with shortcode. Average Rating Calculation and Vote Counting: Calculates the average rating based on the votes. Known Bug: Currently the stars are not highlighted when a user hovers over them. Plans: Improved Styling: Enhance the visual appeal and user interface. AJAX Support and Feedback: Implement AJAX functionality to allow submiting ratings without page reload. Add a feature to provide users with immediate feedback after submitting their rating Structured Data Schema Support: The ratings are picked up by search engines for rich snippets, enhancing SEO and visibility. Cookie Checking: To further prevent multiple votes. Usage: The database table star_ratings is created during the installation. When you uninstall it drops the table. Add the following shortcode to the desired location within your template: <!--StarRatingForm--> StarRating.module.php

DaCha is a water sports center in Egypt and a hotel. https://surfdacha.com/en/ Multi-language. The backend implements the management of customer reservations and bookings. Naturally, the website is made on ProcessWire. UiKit 3 layout Modules: LoginRegisterPro, Cookie Management Banner, Map Marker, FrontendForms, Markup Sitemap XML, Video embed for YouTube (and Vimeo), Tracy Debugger. The backend implements the management of customer reservations and bookings.

...hm - according to this: https://www.makeuseof.com/brave-blocks-cookie-consent-banners/ It seems to be a feature of Brave not a bug. Maybe it's difficult to work around this, and not using all of the typical "consent-phrases" ?. But in this case I would say it's what the user wants while he is using Brave?

In this case, i would deactivate the session cookie completely. Here is an example for a solution, that keep it for logged-in users, but don't set it for guests: https://processwire.com/talk/topic/15270-session-storage-and-lifetime/?do=findComment&comment=136575

Is this to meet Google's new standards for ads? You need to use a Google-approved Cookie management system (CMS) so it's done independently of ProcessWire. It seems unfair you have to use commercial options but there isn't an oen source version that I am aware of. You can see the list here: https://support.google.com/admanager/answer/13554116?hl=en#zippy=%2Cgoogle-certified-cmps I've used CookieYes for a few clients. Looks decent enough and quick to set up. It's free up until 25k page views per month (I think). A few clients are paying ~$10 a month as they get more traffic than that.