If you read WordPress Nonces in Codex, they have explained it pretty fairly. some of the key points are: always assume Nonces can be compromised. Nonces are a hash made up of numbers and letters. WordPress Verifies any https request with both nonces and user cookies. I believe point #3 is, in short, is how … Read more
The problem with expiring a nonce is that in WordPress, nonces aren’t nonces in the purest sense of the term: “number used once.” Rather, a WP nonce is a (substring of a) hash of a string involving a time signature at the moment it was generated, among other things: user ID, the action name and … Read more
In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces. … Read more
Your problem is that you call wp_logout_url immediately after wp_set_auth_cookie. wp_set_auth_cookie() does some setcookie() calls. Unfortunately setcookie doesn’t make the new value available instantly in the PHP global $_COOKIE. It must be set through a new HTTP Request first. wp_logout_url() (via wp_nonce_url > wp_create_nonce > wp_get_session_token > wp_parse_auth_cookie) fetches $_COOKIE[LOGGED_IN_COOKIE] in order to create a … Read more
Use the following code inside just before tag on your front end code. wp_nonce_field(‘name_of_your_action’, ‘name_of_your_nonce_field’); The above code will generate two hidden inputs inside your form tag. Now you can verify your nonce in the backend where you will process your form. Use the following code to verify the nonce you just created above. if(wp_verify_nonce($_REQUEST[‘name_of_your_nonce_field’], … Read more
Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want. Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by … Read more
Take a closer look at the function rest_cookie_check_errors(). When you get the nonce via /wp-json/nonce/v1/get, you’re not sending a nonce in the first place. So this function nullifies your authentication, with this code: if ( null === $nonce ) { // No nonce at all, so act as if it’s an unauthenticated request. wp_set_current_user( 0 … Read more
Here’s a very lengthy answer of my own question that goes beyond just addressing the question of generating unique nonces for subsequent Ajax requests. This is an “add to favorites” feature that was made generic for the purposes of the answer (my feature lets users add the post IDs of photo attachments to a list … Read more
The WordPress nonce creation function is to be called only on the init hook: Use the init or any subsequent action to call this function. Calling it outside of an action can lead to troubles. See #14024 for details. Since the init hook “runs after WordPress has finished loading but before any headers are sent”, … Read more
TL;DR In short, wp_verify_nonce() uses that value because it expects that value as its first argument. wp_verify_nonce() arguments wp_verify_nonce() receives 2 arguments: $nonce $action The value in the hidden field (‘cabfd9e42d’ in your example) represent the $nonce. 1st argument is the nonce, and comes from the request In fact, wp_verify_nonce() have to be used like … Read more