Is it safe to assume that a nonce may be validated more than once?

1, the nonce lifetime is about 24 hours by default actually. take a look at wp_verify_nonce function.

To be more accurate, the lifetime is controlled by filter

apply_filters( 'nonce_life', DAY_IN_SECONDS );

2, if the lifetime value makes you doubt if it is “an implementation side-effect”, you may want to add_filter('nonce_life',create_function('$v', 'return 60*5;')); to shorten the lifetime to 5 minutes in my example.

3, if you’re concerned about the security of your plugin, you should use csrf token instead.

Related Posts:

  1. Nonces and Cache
  2. Multiple ajax nonce requests
  3. Nonces, AJAX, script variables & security in WordPress
  4. How do I check if AJAX nonces are implemented correctly?
  5. WP Admin AJAX Security – using POST to include a relative URL
  6. ajax nonce verification failing
  7. Why does check_ajax_referer give a 403 error on https websites?
  8. Using nonce when loading posts with AJAX
  9. Should wordpress nonce be placed in html form or in javascript file
  10. Ajax Security regarding user priviliges and nonces
  11. How to get a unique nonce for each Ajax request?
  12. WordPress Ajax Data Security
  13. Nonces can be reused multiple times? Bug / Security issue?
  14. Using Nonces for AJAX that only retrieves data
  15. How to verify nonce from Bulk/Quick Edit in save_post?
  16. How to add WordPress nonces to ajax request
  17. Security – Ajax and Nonce use [closed]
  18. Nonces and Ajax request to REST API and verification
  19. Ajax function returns -1
  20. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  21. wp_verify_nonce always returns false when logged in as admin
  22. ajax and nonce when JavaScript is in a seperate file
  23. wp_verify_nonce doesn’t return true on server when it matches the nonce
  24. AJAX requests broken due to HTTPS for wp-admin
  25. Why does WordPress Heartbeat login not refresh the nonces?
  26. wp-admin AJAX with Fetch API is done without user
  27. How to check an ajax nonce in PHP
  28. Can a wp_nonce created from domain 1 to be verified on domain 2?
  29. Is it safe to manually sign a user in using AJAX?
  30. how to send Ajax request in wordpress backend
  31. Identical wp_rest nonce returned from rest_api
  32. wp_create_nonce() in REST API makes user->ID zero
  33. SSO autologin WordPress + Ajax
  34. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  35. Nonce fails on ajax save
  36. Is it secure to use admin-ajax.php in front?
  37. Unable to successfully verify nonce
  38. Cache plugins and ajax nonce verification
  39. Nonce doesn’t validate in nopriv call
  40. WordPress is creating nonce as a logged in user but verifying it incorrectly
  41. javascript ajax and nonce
  42. How to check nonce lifetime value of plugins?
  43. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  44. Custom RPC end-point security best pratice?
  45. How to prevent my external API call from being called by anyone but me (my site)
  46. wp_verify_nonce not working on the mobile device
  47. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  48. check_ajax_reffer not working when logged
  49. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  50. AJAX form not working, still reloads on submit
  51. How to use nonces for frontend AJAX voting if the page gets cached?
  52. Can I make an ajax response cross-domain?
  53. WordPress wp_localize_script nonce and ajax URL
  54. jQuery’s .on() method combined with the submit event
  55. Why use admin-ajax.php and how does it work?
  56. Including WordPress in RESTful API
  57. How to tie built in AJAX to an add_action?
  58. admin-ajax.php vs .load() in WordPress
  59. Ajax form submission from admin panel
  60. Ajax response is always 0
  61. Ajax is not working for logged out users
  62. When is it useful to use wp_verify_nonce
  63. WordPress AJAX Call Not Return Result
  64. Form data is empty while posting form through ajax using jquery in WordPress
  65. Nonce actions and names available via open source
  66. load next and previous posts by Ajax and URL update
  67. WordPress Ajax Problems
  68. How can I access the Header of and ajax response from the rest API
  69. Getting back to ajax search results from a page
  70. Updating a checkbox value to database for specific row in table
  71. WordPress ajax success response
  72. Admin WP List Table Columns Missing
  73. (updated) How to add AJAX error handling to a (fully) custom registration form?
  74. wordpress admin ajax url rename
  75. rest_no_route custom route
  76. Using infinite scroll ajax load more with search parameter
  77. infinite-scroll for 2 fixed height containers
  78. “Loadmore” button is not working in buddypress [closed]
  79. Uncaught ReferenceError: the_ajax_script is not defined . How is this not defined?
  80. Right way to include blog-header.php?
  81. AJAX action through direct link
  82. Ajax call on new site with jupiterx theme getting 400 response [closed]
  83. Creating an auto result search bar
  84. update_option is not saving an array, but saving the string ‘Array’
  85. Get title and featured image using Ajax
  86. My function containing a mysql query launched by ajax is not working in wordpress. What am I missing?
  87. wordpress ajax search posts
  88. Ajax call from Plugin using Class
  89. Ajax by worpdress affects called jquery inside template file
  90. Call public static method from ajax ‘wpcf7_mail_sent’ hook
  91. Update user meta via ajax from frontend, saving issue
  92. How to get the admin page slug using wp_loaded hook?
  93. Having a self updating list
  94. Unexpected WordPress search results
  95. WordPress Get Header and Footer using in Admin Area
  96. Tie the sending of an ajax request to WordPress hooks
  97. ajax page template
  98. apply_filters, EMBEDS and AJAX not a friends? [duplicate]
  99. Using Javascript Callback from plugin in a theme
  100. Why does my Ajax Get request give a 400 bad request?

Leave a Comment