In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces. … Read more
Your problem is that you call wp_logout_url immediately after wp_set_auth_cookie. wp_set_auth_cookie() does some setcookie() calls. Unfortunately setcookie doesn’t make the new value available instantly in the PHP global $_COOKIE. It must be set through a new HTTP Request first. wp_logout_url() (via wp_nonce_url > wp_create_nonce > wp_get_session_token > wp_parse_auth_cookie) fetches $_COOKIE[LOGGED_IN_COOKIE] in order to create a … Read more
Use the following code inside just before tag on your front end code. wp_nonce_field(‘name_of_your_action’, ‘name_of_your_nonce_field’); The above code will generate two hidden inputs inside your form tag. Now you can verify your nonce in the backend where you will process your form. Use the following code to verify the nonce you just created above. if(wp_verify_nonce($_REQUEST[‘name_of_your_nonce_field’], … Read more
Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want. Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by … Read more
Take a closer look at the function rest_cookie_check_errors(). When you get the nonce via /wp-json/nonce/v1/get, you’re not sending a nonce in the first place. So this function nullifies your authentication, with this code: if ( null === $nonce ) { // No nonce at all, so act as if it’s an unauthenticated request. wp_set_current_user( 0 … Read more
Here’s a very lengthy answer of my own question that goes beyond just addressing the question of generating unique nonces for subsequent Ajax requests. This is an “add to favorites” feature that was made generic for the purposes of the answer (my feature lets users add the post IDs of photo attachments to a list … Read more
The WordPress nonce creation function is to be called only on the init hook: Use the init or any subsequent action to call this function. Calling it outside of an action can lead to troubles. See #14024 for details. Since the init hook “runs after WordPress has finished loading but before any headers are sent”, … Read more
TL;DR In short, wp_verify_nonce() uses that value because it expects that value as its first argument. wp_verify_nonce() arguments wp_verify_nonce() receives 2 arguments: $nonce $action The value in the hidden field (‘cabfd9e42d’ in your example) represent the $nonce. 1st argument is the nonce, and comes from the request In fact, wp_verify_nonce() have to be used like … Read more
I would recommend so. You do (and should) have your own nonce with which to check the origin of the data and the intent of the user. If you have just one nonce for a metabox – then you run into problems if that metabox is removed (not the same as hidden). If removed the … Read more
I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following: Actually, if the nonce is valid the referrer should not be … Read more