Support » Requests and Feedback » Why not create nonces unique?

  • Creating nonces (like wp_create_nonce("MyNonceKey")) the nonce-keys are visible in source-code, and output is done like this <input name="MyNonceKey". So, anyone knows what is the key (so CSRF attacker know what key to attack, s/he has only to guess value). Why not WP also makes the KEY variable (variable per site), like <input name="<?php echo md5("MyNonceKey" . AUTH_SALT)); ?>" (where AUTH_SALT is variable per site from wp-config ) and attacker can never guess that, so, nonces will be much secure? (so, developer can check like if(isset($_POST[md5("MyNonceKey" . AUTH_SALT)])) instead of currently used approach if(isset($_POST['MyNonceKey']))

    (note, md5 and AUTH_SALT are just examples, can be used better approaches, but this is enough too in the example. Also, please note, that I talk about “key” not the value of nonce.)

    • This topic was modified 1 year, 4 months ago by tazotodua.
Viewing 1 replies (of 1 total)
  • Otto already answered this question in Slack.
    The key is not important. It’s the value that is, because it changes.

Viewing 1 replies (of 1 total)
  • The topic ‘Why not create nonces unique?’ is closed to new replies.