What’s the best way to deal with the nonce expiration?

  • I have a page with JS code that sends/requests data from a custom WP endpoint.

    When the page that contains my JS is accessed, I create a nonce.

    Then, when I have to send/receive data from the endpoint I set the ‘X-WP-Nonce’ header.

    At the endpoint level, in the function that manages the request, I verify the validity of the nonce by passing the nonce created when the page was accessed: if the nonce is not valid I return:

    new WP_Error('nonce_error', 'Invalid nonce', array( 'status' => 404 ));

    Now: the user that performs the action to request data must be logged in (he can neither request data if not: the page is visible only to logged in user and the endpoint is callable only from logged in users, since I added a permission_callback. You can’t neither directly access the page, I added on topo of it if (!defined('ABSPATH')) exit;).

    But, I suppose that the following can happen:
    1. the user has a nonce started 11.57 hours ago;
    2. the user starts using the app with that nonce;
    3. when he submits data to the enpoint, the nonce has expired and he receives the error;

    In that case, the user is logged in but something wrong happens: something the user can’t control and can’t understand. For example, what alert could I display? “You’re not logged in, please login again”? The user is actually logged in!

    So, what’s the best way to deal with the nonce expiration?

    Any suggestion is appreciated

Viewing 8 replies - 1 through 8 (of 8 total)

  • I see messages along the lines of “Your session has expired, please log in again.” all the time in web apps. WordPress itself can say:

    Your session has expired. Please log in to continue where you left off.

    So I think something like that is fine.

    • This reply was modified 7 years, 6 months ago by Jacob Peattie.
    Thread Starter islp

    (@islp)

    I’d like to avoid this thing for a usability reason: since I can’t restore the state of the app (I can, but I should do some work at the moment I can’t do), the user should go out to the login page, access again the page of the app, use again the app, send the data…

    Is there something like refreshing a nonce? I could do the following: when the page is accessed, I verify (if this is possible) the “age” of the nonce and, if it’s too old, I generate a new one. Is this possible?

    Not sure I understand. When you visit the page the nonce is always going to be fresh. The problem is that the nonce will get old if the user doesn’t do anything. Then when the user performs an action if you’re going to ‘refresh’ an old nonce, what’s the point of using a nonce at all?

    Thread Starter islp

    (@islp)

    I must say I should have tried but… I don’t remember where I red if you consecutively create a nonce this thing has no effect because there can be only one nonce with that name and, once set, it stays 12/24 hours. But… if you say what you are saying, this information could be wrong. Now I try and see what happens.

    I didn’t say anything that would suggest that is wrong? I’m saying that even if you could regenerate a nonce, what’s the point of having one in the first place? A WordPress nonce probably isn’t what you’re after if you don’t want sessions to expire.

    Thread Starter islp

    (@islp)

    Problem isn’t the session expiration: problem is a session expiration in an edge case. ??

    Nonce, in general, is quite useful, maybe less useful than other things (eg. user_can), but in any case useful as an “added value”.

    Moderator bcworkz

    (@bcworkz)

    The nonce timing “starts” every 12 hours and is good for 24 hours, so a client page or app would need to request data, then idle for at least 12 hours and up to 24 hours before the nonce could possibly expire. In the very unlikely event this would happen, I would suggest the user reload the page or restart the app. Then a valid nonce would be generated through the proper protocol.

    While the nonce includes logged in cookie data, its purpose is not to validate that the user is logged in, that is what wp_validate_auth_cookie() is for. Nor is it to validate session data, PHP manages that itself. The purpose is to ensure the data sent from the client comes from a valid form or other content recently sent out by the server and not from some malicious app that is trying to circumvent the normal process. For example, brute force attacks are a lot more efficient if the attacker does not need to first request a form. Without requiring a valid nonce, the attacker can relentlessly pound your server with guesses at a very rapid rate. Getting the proper form and nonce takes time, greatly reducing the possible guesses per second.

    Thread Starter islp

    (@islp)

    You must define “idle”: for example, we can have a user that comes back to that page every 3 hours and he could have the same nonce in every session.

    Reloding the page or restarting the app is not good UX practice: I should eventually store the state of the JS application, but at the moment it’s too much work and there’s not enough time.

    Thanks for pointing out what a nonce is.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘What’s the best way to deal with the nonce expiration?’ is closed to new replies.