I am trying to set up a login system and a contact form for front-end users of my custom WP theme. I need to create an ajax post method and send the input values to the server (Captcha and input values like name, phone, email, ... ). Now my question is, do I have to create a php session to secure unwanted form submission or passing the captcha value between two pages?
If so, is this a correct page template for a contact page and captcha page
<?php
session_start();
/*
Template Name: Contact Page
*/
The captcha.php
<?php
session_start();
You do not need to start a session in order to send a captcha, name, phone, or email. However, if you want to remember this information as the user clicks on different pages you will need to start a session.
It is a common convention in WordPress to start the session in your functions.php file.
if (!session_id()) {
session_start();
}
Now, on your contact page you can store the information after POST:
$_SESSION['email'] = $_POST['email']
And it will be available on different pages in the $_SESSION array.
Note: validate and sanitize the $_POST variables. Look into storing a token in your database that is associated with a user id vs storing the users information in the $_SESSION array. Then store the name, phone, and email in your DB.