nonce issue

  • Resolved WSO.host

    (@buzznot99)


    8 years, 7 months ago

    Pirate Forms uses a wordpress-nonce hidden form field. This is a problem for any site that uses a caching plugin as the nonce value gets cached and then somebody else ends up trying to submit a form using a cached nonce value that wasn’t meant for them.

    Please read this:
    https://kovshenin.com/2012/nonces-on-the-front-end-is-a-bad-idea/

    He is right. Don’t use a nonce on the front end for non-logged in users. It just isn’t the right way to use it and it breaks functionality if a caching plugin is used.

    Hope you can get this resolved quickly as it is causing all kinds of issues. And I but a TON of people are also having this problem since Zerif Lite is so popular and it ships with this plugin.

    https://www.ads-software.com/plugins/pirate-forms/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter WSO.host

    (@buzznot99)

    Guys, this is super important. Do you understand the nature of the issue?

    Any web site using a caching plugin and Pirate Forms is going to have this problem where the nonce value will expire before the cache is rebuilt and when a person tries to submit the form it will fail with a “nonce failed” error message.

    To make things worse, if the person simply hits submit again without clicking into any of the form boxes, the reCaptcha won’t appear and so then they will get a reCaptcha failed message.

    1. Remove the use of a nonce on your forms. It isn’t useful in this case.

    2. Do not require a person to click inside of a form field for the reCaptcha to appear. That is a nice feature in a way, but in a strange case like this it just makes things more complicated. Simply display it at the start.

    Please respond and move forward on these issues. We have live sites that are affected. Going to have to use something else soon.

    Thank you!

    Hi,

    Thank you for reporting this issue to us. If there is something important than we recommend you to always email us at [email protected] as those emails get higher priority.

    I’ve reported this to our developers and we will see what we can do to fix it. Thank you again. ??

    Regards,
    Hardeep

    Thread Starter WSO.host

    (@buzznot99)

    Thanks for the response. Maybe even consider making nonce optional. Just put in a checkbox in settings with a little explanation mainly pointing out that if a caching plugin is being used then nonce should be off, or not used.

    Hi,

    We just added this on the to do list for Pirate Forms, and we’ll add an option to disable the nonce in the next update.

    Thank you,
    Rodica

    Thread Starter WSO.host

    (@buzznot99)

    Great to see this will be added. Please be sure you also change the reCaptcha functionality so that it shows up without having to click inside a form element. I understand why you did it, it does look nice. But in the case where somebody tries to resend the form without changing anything (admittedly, this would be rare) they would get a reCaptcha error.

    Can’t wait to see the nonce issue addressed. Thank you!

    Hi,

    Just wanted to let you know that in the latest version of the plugin, we just added an option to make the nonce optional, plus some other improvements.
    If you want, you can try it , and let us know if everything is ok.

    Thank you,
    Rodica

    Thread Starter WSO.host

    (@buzznot99)

    Testing it now, thanks. I’ve changed my rating to 5 stars and I’ll let you know if I see any issues. I believe having reCaptcha in place means there is no need for a nonce.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘nonce issue’ is closed to new replies.