wp_delete_nonce

  • SoItBegins

    (@soitbegins)


    11 years, 9 months ago

    I have a function request, for a more security-minded developer. The request is for a function, “wp_delete_nonce”, which would let you delete a nonce after you’ve used it, allowing for single-use-only nonce values (example: once the admin page form that was using the value is submitted, the code destroys the associated nonce, as it’s served its purpose).

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    11 years, 9 months ago

    allowing for single-use-only nonce values (example: once the admin page form that was using the value is submitted, the code destroys the associated nonce, as it’s served its purpose).

    Why have a delete function as it’s already a use once number?

    From Mark Jaquith post on the topic:

    A nonce is a number used once

    I’m reasonably sure nonce’s are used once, or at least infrequently enough to ensure that they’re not reused in this lifetime on an installation…

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    11 years, 9 months ago

    They remain ‘alive’ for 24 hours, but if they get sniffed, which some people do worry about, the sniffer would have picked up your user ID and password.

    Combining nonces and cookies is pretty darn safe 🙂 Add in SSL admin and you’re golden.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘wp_delete_nonce’ is closed to new replies.