Identical wp_rest nonce returned from rest_api

Despite you already figured it out or found a solution, since this is a follow-up to the other question, I thought it’d be benefecial to post this answer, so hopefully it helps you. =)

WordPress uses the native setcookie() function in PHP for setting the authentication cookies, and $_COOKIE for reading the cookies values. But the thing is, PHP doesn’t immediately update the values in the $_COOKIE array and instead, it’ll only be updated once the page is reloaded.

So because WordPress nonces rely upon the current user and the authentication cookies, you’ll need to do these in order to get the correct nonce on the very same page/request — i.e. without page reloads:

  1. Immediately update the $_COOKIE array once you’ve called wp_signon() (which calls wp_set_auth_cookie()). And you can do that using the set_logged_in_cookie hook.

  2. And then call wp_set_current_user() after logging in the user — if you don’t call it, the generated nonce will not use the current user and functions like is_user_logged_in() and current_user_can() would also return false.

Working Example

function wpse_377570( $logged_in_cookie ) {
    $_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie;
}
add_action( 'set_logged_in_cookie', 'wpse_377570' );

function ajax_login( $request ) {
    // Logs the user in and set the authentication cookies.
    $user = wp_signon( array(
        'user_login'    => $request->get_param( 'username' ),
        'user_password' => $request->get_param( 'password' ),
        'remember'      => true,
    ) );

    // In case of errors like wrong password, return the error object/data.
    if ( is_wp_error( $user ) ) {
        return $user;
    }

    // Now set the current user so that we get the correct nonce based on
    // that user.
    wp_set_current_user( $user->ID );

    return [
        'nonce'    => wp_create_nonce( 'wp_rest' ),
        'loggedin' => is_user_logged_in(),
        // ... your other data.
    ];
}

Additional Notes

  • REST API endpoint’s callback always receives the request object (a WP_REST_Request instance) as the first parameter, which among other functions, has get_param() for retrieving a parameter like a URL query string, a POST body data or a JSON payload, so you should make use of that and the other functions, just as I did in my example. 🙂

Related Posts:

  1. how to send Ajax request in wordpress backend
  2. How to get a unique nonce for each Ajax request?
  3. Using Backbone with the WordPress AJAX API
  4. WP-AJAX vs WP REST API: What to use for requests to the website from outside?
  5. Nonces and Cache
  6. Is it safe to assume that a nonce may be validated more than once?
  7. Including WordPress in RESTful API
  8. Multiple ajax nonce requests
  9. REST API endpoint for elasticpress autosuggest
  10. Using Nonces for AJAX that only retrieves data
  11. How to verify nonce from Bulk/Quick Edit in save_post?
  12. Gutenberg – how to correctly perform ajax request on backend
  13. How to add WordPress nonces to ajax request
  14. AJAX request from Chrome Extension to WordPress Website
  15. Nonces and Ajax request to REST API and verification
  16. Ajax function returns -1
  17. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  18. WP REST API route request explain
  19. wp_verify_nonce always returns false when logged in as admin
  20. Confused on AJAX submit form through page template
  21. ajax and nonce when JavaScript is in a seperate file
  22. Solve cors problem using rest api or ajax
  23. wp_verify_nonce doesn’t return true on server when it matches the nonce
  24. AJAX requests broken due to HTTPS for wp-admin
  25. Is there a hook to process a backbone restful PUT request inside wordpress?
  26. Nonces, AJAX, script variables & security in WordPress
  27. Extending wp JavaScript base class to make a post request to a custom REST endpoint
  28. Why does WordPress Heartbeat login not refresh the nonces?
  29. wp-admin AJAX with Fetch API is done without user
  30. How do I check if AJAX nonces are implemented correctly?
  31. How to check an ajax nonce in PHP
  32. Can a wp_nonce created from domain 1 to be verified on domain 2?
  33. How to add WP API and JS featured image attachment
  34. WP Admin AJAX Security – using POST to include a relative URL
  35. wp_create_nonce() in REST API makes user->ID zero
  36. ajax nonce verification failing
  37. How do I get reusable blocks via frontend REST API?
  38. Is there builtin way to use protected AJAX endpoint?
  39. SSO autologin WordPress + Ajax
  40. rest_no_route custom route
  41. Test WordPress api with postman
  42. Are nonces in WP REST API optional by default?
  43. How to load content from many posts on a page, only if needed
  44. How do I query posts by a sub value with the API?
  45. Nonce fails on ajax save
  46. Unable to successfully verify nonce
  47. merge wp rest api query to get posts per category does not work
  48. Ways to load admin-ajax faster without initializing all plugins?
  49. Cache plugins and ajax nonce verification
  50. Nonce doesn’t validate in nopriv call
  51. Why does check_ajax_referer give a 403 error on https websites?
  52. How to make a fetch() POST request to wordpress rest api?
  53. WordPress is creating nonce as a logged in user but verifying it incorrectly
  54. post values to custom post type which has advanced custom fields
  55. javascript ajax and nonce
  56. How to check nonce lifetime value of plugins?
  57. Using nonce when loading posts with AJAX
  58. REST public POST giving 403 forbidden nginx
  59. Should wordpress nonce be placed in html form or in javascript file
  60. Is it good practice to use REST API in wp-admin plugin page? [closed]
  61. wp_verify_nonce not working on the mobile device
  62. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  63. 404 error custom post type rest api
  64. How to require files in a custom endpoint
  65. AJAX form not working, still reloads on submit
  66. Create a post with REST API and adding a category
  67. Should I edit a user meta field with PUT, PATCH, or POST and WP::Editable
  68. How to trigger lost password email using REST API?
  69. Ajax Security regarding user priviliges and nonces
  70. How to use nonces for frontend AJAX voting if the page gets cached?
  71. WordPress wp_localize_script nonce and ajax URL
  72. how reduce fetch/XHR response time
  73. Custom WP rest api endpoint only working on non https?
  74. Why are the most recent posts not appearing in a fetch request, unless I’m logged in?
  75. How to submit a button automatically after every scheduled hours?
  76. gettext does not translate when called in ajax
  77. Execute one AJAX request after another AJAX request finished
  78. Load tinyMCE / wp_editor() via AJAX [duplicate]
  79. Plupload in metabox – AJAX action not working in Class
  80. wp_localize_script escaping my url – fix or alternative
  81. WordPress ajax problem need wordpress expert?
  82. Increased CPU load due to admin-ajax.php spam
  83. How can I pass get_the_author_meta(‘user_email’) through the REST API?
  84. Can’t get result from sql using ajax result
  85. Theme Customizer – Conditional Controls
  86. Audio TAG Not using MediaElement When Page is loaded through ajax
  87. Ajax calls from the theme directory
  88. How to pass parameters from jQuery ajax into PHP function?
  89. Redirect after saving form; and yet use wp_die()
  90. ajaxt returning object object [closed]
  91. Load more posts (Ajax) in tabbed sidebar on single.php
  92. Why is the file not uploading to the server?
  93. Get localize of a loaded javascript
  94. Query data after an Ajax insert
  95. GET request return value as error instead of success
  96. Problem when sending file via ajax
  97. Change button text after ajax db update
  98. Native WordPress Video Shortcode Not Working After Post is Loaded via Ajax
  99. Speeding up admin-ajax.php
  100. randomly get 400 error while user is logged in wp_ajax
error code: 523