Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Ajax Nonce Reply To: Ajax Nonce

#199192
Ilan Firsov
Participant

Basically, when you save the nonce, save the expiry along with it, and check both on submission.

To add to this, I would verify the expiry time is not modified by an attacker.
I’d do something like this:

<?php
$expiry = time() + 300;
$nonce = wp_create_nonce( 'myform' . $expiry );
$_SESSION[$nonce] = $expiry;
?>
<form action=whatever method=post>
    <input type=hidden name=_wpnonce value=<?= $nonce ?>>
    <input type=submit value=Submit>
</form>
$nonce = $_REQUEST['_wpnonce'];
if ( isset( $_POST["_wpnonce"], $_SESSION[$_POST["_wpnonce"]] ) && wp_verify_nonce( $nonce, 'myform' . $_SESSION[$_POST["_wpnonce"]] ) && time() < $_SESSION[$_POST["_wpnonce"]] ) {
  // do stuff
}

Though usually I would not add the expiry to the session and just hardcode it in for something like that (bad practice, I know ;))