How to exclude nonce from being cached?

please check this page

Thanks for responding. Reading the usage example, i presume that this applies to specific html elements. But how does this apply to nonces? Do i have to exclude the whole script from being cached? I tried:

add_filter("TOA_PLUGIN/nonce_scriptx", function ($_) {
    // put the data in cache to be sure to return the same value on all calls
    if (!isset($GLOBALS["TOA_PLUGIN"]["nonce_scriptx"])) {
 
        $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"] = bin2hex(random_bytes(12));   
        
    }
    echo apply_filters( 'litespeed_esi_url', 'my_esi_block', 'Custom ESI block' );
    return $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"];
    
});

and then the function the action hook as described. Result: an error is issued. Obviously this does not really apply.

• This reply was modified 7 months ago by timholz.

are you creating your own custom nonce system?

why not use the wordpress’s own wp_create_nonce() ? we have native ESI support for WP nonce

Yes, i am. I tried wp_create_nonce() and found out that it is the same nonce value throughout the whole website. It never changes and it is, as i learned, not cryptographically random, too.

I noticed that Convert custom nonce to ESI exists. I’ve even tried it. But without any success. The example is not very clear. For instance:

Then you need to call the API somewhere before that line, like so:

What does that mean? Somewhere before? Within the function that has wp_create_nonce() or outside?

• This reply was modified 7 months ago by timholz.
• This reply was modified 7 months ago by timholz. Reason: spelling

well , that’s how wp made its nonce

ref: https://developer.www.ads-software.com/apis/security/nonces/

back to topic

imagine you have a code like

...
wp_create_nonce('my-nonce-name');
...

then you change it to

...
do_action( 'litespeed_nonce', 'my-nonce-name' );
wp_create_nonce('my-nonce-name');
...

or you can add some check , to see if LSCWP or ESI is enabled

...
if (!defined('LSCWP_V') || ! apply_filters( 'litespeed_esi_status', false )  ) {
do_action('litespeed_nonce', 'my-nonce-name');
}
wp_create_nonce('my-nonce-name');
...

or even simpler , just go to LiteSpeed Cache -> Cache -> ESI -> enable ESI , add my-nonce-name into ESI nonce list , save and purge.

OK. This is my test:

add_action( 'run_custom_nonce_value', 'custom_nonce_value' );
    function custom_nonce_value(){
    do_action('litespeed_nonce', 'GurkensalatmitSauce');
    $created_nonce = wp_create_nonce('GurkensalatmitSauce');
    echo 'nonce_test: '. $created_nonce;
    return $created_nonce;
}

Esi enabled and ‘GurkensalatmitSauce’ added to the list. The echo is:

nonce_test: nonce_test: [an error occurred while processing this directive] 5d557226b9 

In the console i get various errors that scripts and inline scripts are rejected. With ESI disabled no errors at all, but everywhere the same nonce.

• This reply was modified 7 months ago by timholz.
• This reply was modified 7 months ago by timholz.

And another test with esi enabled and 'my-nonce-name' added to esi-nonces field:

do_action('litespeed_nonce', 'my-nonce-name');
 $GLOBALS['testnonce'] = wp_create_nonce('my-nonce-name'); //to retrieve value in various places

Shows the same nonce throughout the whole site. do_action('litespeed_nonce','my-nonce-name'); does not do anything. I conclude that this is good for nothing. The rest of litespeed works well though.

• This reply was modified 7 months ago by timholz.

it doesn’t change , as far as I know , within the valid time (12-24h) , the nonce name is same

the ESI nonce is to address nonce expiration with cache , as the whole page will be cached for 7 days , while the nonce is only cached for 12 hours

Thanks for your care. But as i said this is not cryptographically random and therefore not suitable for csp.

yes , it’s not exactly a value used for once , but that’s how wordpress did it , we can not change that

CSP and the measures to protect scripts is something to keep in mind. Millions of people use litespeed. And all these people are somehow vulnerable with nonces that live for 12hours… Let us see where this csp stuff is going. Thank you.

as I have explained , the wordpress system did it that way

a quote from wordpress document about nonce:

By default, a nonce has a lifetime of one day. After that, the nonce is no longer valid even if it matches the action string. To change the lifetime, add a nonce_life filter specifying the lifetime in seconds.

and

WordPress’s security tokens are called “nonces” (despite the above-noted differences from true nonces) because they serve much the same purpose as nonces do. They help protect against several types of attacks including CSRF, but do not protect against replay attacks because they aren’t checked for one-time use. Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.

Thanks a lot for this concise information. regards theo