Is there a solution to expired nonces in forms when using full page caching that doesn’t involve configuring the cache?

If something on the page expires sooner than that pages cache then you will end up in this situation or an analogue/equivalent situation.

So in the strictest sense the answer is a hard no.

Either the nonce expiration has to increase, making the nonce less secure, the cache has to decrease so that the things being cached don’t become stale, or that page/page fragment can’t be cached. Everything else involves fundamentally changing what you’re doing, e.g. pulling the form in via JS, using an iframe or embed of some sort, not using a nonce, etc

Note as well that WP doesn’t just check if the nonce is currently valid, there’s a grace period where it also checks the value the nonce would have had previously so that stale nonces don’t just instantly expire.

Depending on your use case, the use of nonces here might not be correct, e.g. if it were a form int he admin area or for a privileged/logged in user to perform an action then a nonce is appropriate. But for lets say a contact form that has no authentication a nonce may not be appropriate. Gravity Forms for example does not uses nonces unless there are restrictions around the form or it requires user login.

As with most rules, PHPCS is there to catch issues and be a tool to better your code, but you shouldn’t blindly implement its recommendations without considering the context. You can silence it with a comment, just be sure to add your own comment explaining why you aren’t using nonces and what you’ve done instead to protect the form ( e.g. captchas ).

As for AJAX, it defeats the point of the nonce since now anybody can query to get the nonce from AJAX without opening the page, eliminating the point of having the nonce in the first place to ensure that the submission of the form came from that specific place. You also then run into the problem of cached AJAX entries, and that you might need a nonce to securely retrieve it putting you back at square one.

Related Posts:

  1. Nonces and Cache
  2. Is wp_nonce_field vulnerable if you know the action name?
  3. Can I verify nonce which was generated on a different WP site?
  4. Nonce actions and names available via open source
  5. Help with forms and nonces
  6. Can you have more than one nonce on a page?
  7. Should I use wp_nonce_field on my contact form?
  8. wp_nonce for Front-End submission form not working
  9. What is &amp used for
  10. How to define form action in JSF?
  11. Free or affordable OCR and ICR (handwriting recognition) SDK?
  12. What characters are allowed in an email address?
  13. How to include landing page with form submission?
  14. How to edit a user profile on the front end?
  15. How to display user registration form on front-end of the website?
  16. How to handle form submission?
  17. What is an easy way to display a front-end user registration form?
  18. Add error message on password protected page
  19. how to set from address according to the form input email address for wp_mail()?
  20. How to get current url in contact form 7
  21. How to pass on Google Adwords gclid variable to other pages
  22. using update_user_meta in form to set and get custom meta
  23. Best way to create multi-step form with data saved to user account for later updating?
  24. User registration problem in WordPress
  25. Creating a contact form without a plugin [closed]
  26. How to submit data from HTML form?
  27. Custom Registration Template/Page
  28. show image in mail contact form 7 [closed]
  29. Submitting post to database then redirecting to paypal
  30. Registration form labels – add asterisk
  31. Autocomplete for taxonomy input boxes on a front end form
  32. Sending form data via PHPMailer – How to action PHP script from a form
  33. How to create and retrieve data from a special registration form?
  34. Contact form 7 Dynamic text – placeholder on GET field
  35. Settings API erases itself?
  36. how to handle forms in multiple pages?
  37. set_query_var doesn’t seem to work on init hook
  38. How to send multipart form data to WordPress endpoint
  39. need to add attach thumbnail from my form
  40. Wp_mail Returning False on Server
  41. recommended practice for form submission
  42. Placeholders in Jetpack Contact Form [closed]
  43. How to update selective options on plugin settings page
  44. Built-in data validation function for URLs
  45. $_POST empty on submit (same code, same form submits normally on local server)
  46. Gravity Forms skip form if already filled out using cookie?
  47. Loading scripts & styles from a meta box callback function
  48. Checkbox won’t check when label is clicked
  49. One comment per user per post
  50. Looking for a simple approach for handling user $_POST data without AJAX?
  51. When is it useful to use wp_verify_nonce
  52. Trying to save and display a wp_editor()
  53. How to return variables from admin-post.php
  54. Help with verifying google recaptcha in a custom form
  55. Setting specific image size for specific form upload file field
  56. Duplicating/Cloning Multiple Form Fields
  57. Full page NGINX (or Cloudflare) caching and WordPress nonces
  58. Contact forms going into spam folder
  59. Get data from dropdown and update page
  60. Mail Form in a modal box without plugin
  61. Using the WordPress selected() function
  62. WordPress REST API, Expired Nonce from Cache results in 403 forbidden
  63. Performing a POST action on homepage goes to posts page
  64. Add contact form
  65. How am I able to get the value out of cookie array when I push a button?
  66. 404 on form submit [duplicate]
  67. How to Process Form Request
  68. Form Processing
  69. Reset recaptcha contact form 7 [closed]
  70. Return to option page after running PHP script
  71. Saving checkbox/option list status?
  72. Customize reset password form redirect problem
  73. What is the valid phone number format accepted by contact-form-7 [closed]
  74. creating form for wp_remote_post
  75. How to implement post/redirect/get pattern on contact form
  76. How to know what submit button the user clicked?
  77. limit characters when posting from form
  78. Creating a custom multilingual form
  79. wordpress not displaying my form
  80. Adding data to an array in usermeta and displaying it in a loop
  81. Stripe Error: must provide source or customer [closed]
  82. How to submit form in a PHP file in WordPress?
  83. CRUD front end for mySQL in WordPress
  84. How to prevent page from resubmit on refresh when “Cannot modify header information – headers” warning shows
  85. not logged in users can’t submit form
  86. How to edit custom user meta information front end
  87. Maximum lifetime for nonce
  88. wp_create_nonce function doesn’t work inside a plugin?
  89. How to redirect new WordPress user to previous page after registering
  90. Google Map Latitude and Longitude values in form
  91. How to properly add a custom submenu to the user’s admin menu
  92. How to use TinyMCE in the quick edit form?
  93. post request does not redirect but why
  94. How can I find actual logic php file in form’s action path?
  95. How do I use the info submitted in a form to create a form reception page? (like “thank you {firstName}”) [closed]
  96. WordPress form to shortcode
  97. Create Contact7 Form programmatically [closed]
  98. WPForm, how to set date to tomorrow
  99. recaptcha working on local but not on live wordpress sites [closed]
  100. php form create 2 posts
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)