Support » Developing with WordPress » Understanding nonces

  • jojas



    So in trying to understand nonces, I am a bit confused. It seems they last for 12-24 hours.

    So if I visit a page, a nonce will be generated, and if I refresh that page 1 hour later, the nonce will be the same.

    If I wait 25 hours and attempt to submit a form or click a url with a nonce, it seems the nonce will be expired.

    So then…

    1) Wouldn’t it be the case that if the nonce will last exactly 24 hours (or 12 hours, or whatever, the amount isn’t relevant here), and then 1 minute before it expires, the user refreshes the page. They fill out the form in 5 minutes and submit, but lo and behold the nonce already expired because it expired 1 minute later.

    Am I missing something here? That seems like that shouldn’t be the way it would work – and that I am missing something.

    Additional thoughts…

    2) It seems nonces could create issues with caching plugins, since it could cache the form load with that nonce, and load it after it already expired, because the page is cached. For example, on a Contact Us page with a form.

    3) This causes issues if the person loads a page but then leaves it open and fills out the form 2 days later. It seems that perhaps continually getting the wp_nonce_field via javascript with ajax and putting it back into the page every 1 hour would solve this problem – however, this would still bring about the issue of question 1, where it could get the nonce field theoretically one minute before it expires.

    Thanks for your help in answering any of these questions.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz


    You’ve pretty much grasped the entire concept, except for one crucial detail. While a nonce lasts 24 hours, a new one is generated every 12 hours, so users have at least 12 hours minimum to submit after loading. Caching could be an issue if the interval is greater than 24 hours. Most people would reload a form if a submittal fails, so it would be a rare occurrence that someone simply gives up.



    Don’t forget that plugins can change the details of the nonce: the interval or the algorithm for computing it.

    The ajax nonce renewal doesn’t make much sense because you still have to verify that it’s a valid request for the new nonce. So the nonce generated with the page works best.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.