Clarification on nonce caching and LS settings

  • Resolved 99w

    (@ninetyninew)


    1 year, 7 months ago

    Hi,

    We develop a number of plugins and in one recently we have been made aware of and replicated an issue with nonce fields that we set in front end forms.

    These forms have nonce fields added via either wp_nonce_field or wp_create_nonce.

    What we have found is that when LiteSpeed Cache is enabled pages containing these nonces are cached and get served up to other users, the nonce is therefore incorrect and it causes functionality based off those nonces to fail due to a validation error.

    I have read up on this and noted this article and a few others.

    However i’d like some clarity on exactly how someone with this issue can resolve the problem without disabling the entire cache.

    I understand that “Enable ESI” seems to be the solution and then adding in some of the nonce names to the ESI Nonces field in LiteSpeed Cache settings, however the description under the “Enable ESI” setting seems to allude to that setting being a cache for logged in users only?

    I’m just trying to determine exactly which settings need to be enabled to stop specific nonce fields being cached – which in turn should stop the issues with invalid nonces for our plugin.

    Thank you,

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support qtwrk

    (@qtwrk)

    once ESI is enabled, it will apply to both guest user and login users

    you can add this to where you generate the nonce in your plugin 

    if (apply_filters( 'litespeed_esi_status', false )){
# this to check if ESI is enabled or not 
   do_action( 'litespeed_nonce', 'your_nonce_name' );
}
wp_create_nonce( 'your_nonce_name' );
    Thread Starter 99w

    (@ninetyninew)

    Thanks – that seems to answer how we could make a nonce not be cached via a plugin if ESI is enabled.

    However, currently the website in question has these settings:

    1. Cache (tab)
      All settings enabled except REST API
    1. TTL (tab)
      All settings set to the defaults
    1. ESI (tab)
      Enable ESI: disabled
      Cache admin bar: enabled
      Cache comment form: enabled
      ESI nonces: stats_nonce and subscribe_nonce

    With these settings we are experiencing product pages in WooCommerce being cached, with an incorrect nonce field value meaning products can not be added to cart.

    I just want to confirm that to ensure that nonce field included in the product page does not get cached the ESI setting must be enabled? And then the ESI Nonces setting populated with our nonce field names (or by adding that code provided earlier in the plugin). I am unsure if the ESI Nonces setting works solely if ESI is enabled or works without?

    Can you also confirm if the code provided above can allow a wildcard in the second parameter?

    We are also seeing in the code for LiteSpeed that if, for example, Elementor theme is used it seems to force LITESPEED_ESI_OFF to be true (?), the website in question is not using Elementor, but if it was, would that therefore mean the nonce issue would still be there for a website using Elementor?

    Plugin Support qtwrk

    (@qtwrk)

    yes , ESI must be enabled , and if you don’t call the nonce API , then you will need to add the nonce name in the ESI nonce list

    I am not sure what do you mean by “wildcard in second param” ?

    with Elementor , it is only disabled when you in the editor mode , normal visit won’t trigger it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Clarification on nonce caching and LS settings’ is closed to new replies.

Tags