Reply To: Ajax Nonce

[Ilan Firsov]

Basically, when you save the nonce, save the expiry along with it, and check both on submission.

To add to this, I would verify the expiry time is not modified by an attacker.
I’d do something like this:

<?php
$expiry = time() + 300;
$nonce = wp_create_nonce( 'myform' . $expiry );
$_SESSION[$nonce] = $expiry;
?>
<form action=whatever method=post>
    <input type=hidden name=_wpnonce value=<?= $nonce ?>>
    <input type=submit value=Submit>
</form>

$nonce = $_REQUEST['_wpnonce'];
if ( isset( $_POST["_wpnonce"], $_SESSION[$_POST["_wpnonce"]] ) && wp_verify_nonce( $nonce, 'myform' . $_SESSION[$_POST["_wpnonce"]] ) && time() < $_SESSION[$_POST["_wpnonce"]] ) {
  // do stuff
}

Though usually I would not add the expiry to the session and just hardcode it in for something like that (bad practice, I know ;))