Same Nonce Value Over And Over Again?

  • Resolved edtiley

    (@edtiley)


    11 years, 9 months ago

    Simple code:

    $starnonce = wp_create_nonce( 'star_nonce');

    I’m passing the nonce from a form, for verification.

    Why would I get the same value over and over again from WP, even after a reboot?

    TIA,

    Ed

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter edtiley

    (@edtiley)

    A little more depth.

    I’m creating a nonce and putting its value into a hidden input in a form. When the submit button is clicked, the action of the form (a function in a class) recieves and verifies the nonce before doing anything.

    If I reload the page (even if I’ve closed the browser (FF or IE)between loads) I’m getting the same nonce value over and over.

    If I clear browser history, I’ll get a different nonce in the hidden field, but again I’ll get it over and over.

    The ajaxurl gets the nonce in $_POST and verifies it. It never gets rejected even after it’s been used over and over.

    What am I missing here? I don’t see the “security” in a nonce that let’s itself be used over and over.

    I believe WordPress nonces aren’t literally numbers that are generated only once as the name would imply. They generate a string that expires after 24 hours.

    Moderator bcworkz

    (@bcworkz)

    I believe…

    Ben is being modest. His “belief” is exactly the case with no doubt.

    Thread Starter edtiley

    (@edtiley)

    Ben,

    My understanding of a nonce is that it expires after a specified Time To Live if unused, and manually expired immediately when it is used.

    So then any real benefit from a WordPress nonce (as preached for Ajax “security”) is cosmetic. It only confirms that a pre-request (create) was made, not that the foreshadowed event (verify) has actually taken place more than once.

    All that really does is make the developer feel good about following “best practices” I guess.

    Again, if I’m missing something here, please enlighten me.

    Thanks,

    Ed

    “I believe” – I wasn’t sure of the exact duration ??

    There is a good outline by Mark Jaquith of how WordPress Nonces work here…

    Thread Starter edtiley

    (@edtiley)

    Ben,

    That article was written about version 2 of WP. I assume it works the same although the functions that create and verify are “new & improved” since then.

    He does point out that it is tied to the individual user and the cookie WP hands you on arrival. I can attest to that since I’ll get a different nonce if I’m logged in vs. not.

    I can see there is some protection afforded in that the nonce will not work for someone on a different client, etc. So if a hacker wants to delete a post, for example, they may succeed, but only once.

    On a recurrable operation like a “like” or asign a rating, it really doesn’t do much to disallow multiple instances.

    Thanks

    Ed

    Moderator bcworkz

    (@bcworkz)

    Ed,

    You bring up a good point of why it’s important to understand how the WP “nonce” really works. While it’s sufficient for it’s intended use of WP form submissions, it is possibly worthless for other uses, in which case one is best served by implementing a true nonce implementation. Use of the term “nonce” as implemented by WP is misleading as it is anything but. I understand the need to convey the intention of it’s use, I wish there was a better term than “nonce”. “Security token”?

    Anyway, an informative thread, glad you brought it up, and thanks to Ben too.

    -bc

    Thread Starter edtiley

    (@edtiley)

    bc,

    It’s form submissions where I find it particularly lacking.

    Oh, well. Sigh.

    Thanks,

    Ed

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Same Nonce Value Over And Over Again?’ is closed to new replies.

Tags