Support » Developing with WordPress » Ajax login and nonce verification

Viewing 7 replies - 1 through 7 (of 7 total)
  • You should change the workflow. Don’t show the form unless the user is logged in.

    Thread Starter Amit Biswas

    (@amitbiswas06)

    @joyously Thanks for the reply. However that’s not a coding solution. I don’t think WordPress cannot offer solutions for this type of situation. I am expecting a coding solution for this as there is no issues with my workflow. I must allow users to fill up the form whether they are logged in or not.

    Think about what the nonce is for. You want to make sure the action is not hijacked, and that the user intends the action on the object.
    So when generating the nonce, you use something to tie the user to the action.
    Well, when you are filling out a form when not logged in, you can’t tie a user to the object, because there is no user. Does that mean there should be no nonce or no form?
    There is no point in putting a nonce in a form that won’t be used. The PHP has to be able to compute the same nonce, in order to verify it. So trying to send a new nonce in AJAX is pointless. How would the AJAX function know whether it was the real user or a hijack?
    You need to change the flow.

    Thread Starter Amit Biswas

    (@amitbiswas06)

    @joyously no point talking the other way. For instance, yes the form nonce will be used as there is both option to submit. Not logged in user and logged in user both can submit the form. Not logged in user will have to fill up email id for that. My issue is when a registered user decides to submit the form with logged in, I must enable them to submit without refreshing the entire page which will cost them to re enter every data in the form. Hope this make sense?

    If the non-logged in user can submit, then don’t put the link for the AJAX login.
    It sounds like you need two different action hooks, one for logged in and one for not logged in, which you accomplish with the _priv addition to the hook name.

    Thread Starter Amit Biswas

    (@amitbiswas06)

    @joyously it seems you are missing the point that I am talking about. I am already using both hooks for form “X”. I just wanted to create and return the logged in nonce after ajax login. Which in this case is returning but that is different. If you see my code below this line $user = wp_signon( $creds, false );, you shall get it.

    Thread Starter Amit Biswas

    (@amitbiswas06)

    I just found the solution here – at stackoverflow

    The main issue was – after the ajax login success, the nonce were being created with old session cookie while the session updates on the next request. So I have to use the set_logged_in_cookie action hook to update the session cookie immediately after the ajax login is done. Here is the code –

    
    add_action( 'set_logged_in_cookie', 'my_update_cookie' );
    function my_update_cookie( $logged_in_cookie ){
        $_COOKIE[LOGGED_IN_COOKIE] = $logged_in_cookie;
    }
    

    Similar issue was also discussed few years ago in this forum – Ajax login nonce creation

    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Ajax login and nonce verification’ is closed to new replies.