If anybody is strangling with it, the proper solution is to use both wp_set_auth_cookie specifying the second parameter being the logged_in cookie, which now gives me the following code: wp_set_current_user($user_id); if ( wp_validate_auth_cookie( ”, ‘logged_in’ ) != $user_id ) { wp_set_auth_cookie( $user_id ); } And to add an action, as suggested in this thread: Extend … Read more
You are not inserting the nonce field in your form, so your script won’t recieve the nonce field and this code: if ( !isset($_POST[‘nonce_name’])) Will be validated becasue $_POST[‘nonce_name’] is not set. In your code, remove this line: <input type=”hidden” value=””.wp_nonce_field(“nonce_action’,’nonce_name’).”‘/> And, where it said //TODO: set nonce, you need to include: $out .= wp_nonce_field( … Read more
I get it a few time on my Hostnoc hosting, it happens when you have something running at the back of your WordPress (i.e. cron job or schedule backup up etc), this happens when you put a lot of usage on the server. Make sure you save each and everything before pressing publish. Furthermore, changed … Read more
Depends, will the form work with AJAX turned off? If so use an input and degrade gracefully. Otherwise, define nonces used by JS using JS for consistency, and to prevent grabbing stuff from the DOM
Nonces are not tied to the admin interface. This codex page explains them very well. Essentially, you add : <?php wp_nonce_field(‘name_of_my_action’, ‘name_of_nonce_field’); ?> in your form (this creates a hidden input field containing an one-time-use token). And where you’re doing the form processing you just check if the nonce is correct if(!wp_verify_nonce($_POST[‘name_of_nonce_field’], ‘name_of_my_action’)){ // no … Read more
Just use get_delete_post_link( $post_ID ) – it’ll return the absolute URL with nonce and all! Just to be clear, this will get the link to trash posts (if trash supported). If you want to skip trash & get the perma-delete link, pass a second argument of true*. http://codex.wordpress.org/Function_Reference/get_delete_post_link Update: Having checked the source, it seems … Read more
More context would be helpful. Is that all the code found in your plugin or functions file directly? Or are you hooking in to something via add_action. Anyway, what’s probably wrong is that you’re calling wp_localize_script and wp_enqueue_script outside of an action. wp_create_nonce, or, rather, the file in which it resides, has yet to be … Read more
The problem with expiring a nonce is that in WordPress, nonces aren’t nonces in the purest sense of the term: “number used once.” Rather, a WP nonce is a (substring of a) hash of a string involving a time signature at the moment it was generated, among other things: user ID, the action name and … Read more
TL;DR In short, wp_verify_nonce() uses that value because it expects that value as its first argument. wp_verify_nonce() arguments wp_verify_nonce() receives 2 arguments: $nonce $action The value in the hidden field (‘cabfd9e42d’ in your example) represent the $nonce. 1st argument is the nonce, and comes from the request In fact, wp_verify_nonce() have to be used like … Read more