Best practice using nonce with front end login?

  • Resolved gabez123

    (@gabez123)


    4 years, 2 months ago

    Hi,

    I have built some functionality into my wordpress theme to allow users to register and login through the front end using ajax functionality to verify and register/log the user in.

    My question is regarding the nonce. Because I use a caching plugin, for a certain period of time between the nonce expiring and the page cache refreshing , the page displays an expired nonce and therefore the ajax login does not work and its sending the old cached nonce.

    My question is, what is the best practice for this situation?

    As I see it I have several options:

    1- Remove the nonce completely for login/registration and just leave it open so anyone can try to log in/register directly through ajax. Is this a security issue or is it standard?

    2- Somehow load the nonce dynamically through another ajax request to bypass the caching feature.

    3- Build my own nonce system that also refreshes the cache when the nonce is updated. (seems overkill)

    I feel like this should be fairly standard and I shouldnt have to re-invent the wheel but I cant seem to find an answer. I’ve seen some people online say one should just refresh the cache more often, but even then, from my calculations, there would still be a period of time when the nonce expires and the cache refreshes where the nonce would be invalid.

    Thanks for the help!
    G

Viewing 2 replies - 1 through 2 (of 2 total)

  • A nonce is used when you want to protect the action that the user is initiating, from being intercepted and spoofed to do other things. So each nonce should be generated with something specific in it. An example would be for a user wanting to delete a post. The nonce would have the action of delete and also the post ID, so if the nonce is compromised, it can only be used for that action on that post.
    When you are logging in, what action and specific data are you trying to protect?
    The actual login is already protected by having the user and the password needing to match. The value of a nonce is that it is generated on the server, and that’s the value that the server needs to find to allow the action. So doing anything on the client defeats the purpose because the client could be anyone.

    Other than that, login doesn’t belong in a theme. Move your code to a plugin, and you can simply use the existing WP logic. And your code should work regardless of caching, which a theme shouldn’t have to be concerned about.

    Thread Starter gabez123

    (@gabez123)

    Hi Joy,

    The purpose is to help someone from trying to stop a bot from brute forcing the ajax url and trying to guess username/password combinatinations.

    I did just figure this out however. Read up the details on how nonces work. Apparently they work for “2 ticks” meaning they expire in 24 hours, each “tick” being 12 hours. The interesting thing is that even though the nonce gets replaced for a new nonce every 12 hours, they are still valid for the full 24 hours. This means that at any one time, 2 different nonce are valid, not just the one.

    So, long story short, this means that as long as I set the site cache to less than 12 hours, the nonce will always work, so problem solved.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Best practice using nonce with front end login?’ is closed to new replies.