WordPress & _nonce

  • Hello,

    I have a problem with the nonce issue. For me, the nonce value always stays the same. This also does not change across browsers or when I activate the Inkoknito mode. Is this a normal behavior?

    I only noticed this because when logged in, the form nonce is not the same as the validation nonce. The validation failed. However, only when I am logged in. Otherwise the form and the send works. Only the nonce does not change. I find this currently very strange I would appreciate any help, explanations or experiences.

    Here is some background information:

    • no active caching active, neither by serverconfig nor by plugin.
    • Theme from https://underscores.me/
    • Plugins ACF, Polylang, WP Mail SMTP, Yoast active.

    I have a home page, on it there is a popup which is activated via JS and the HTML block is changed to display:block;.

    In this process the nonce is created in the form. I have tested two variants:

    <?php #wp_nonce_field( 'popup_form_nonce', '_wpnonce' ); ?> and 
<input type="hidden" name="_wpnonce" id="popup_form_nonce" value="<?php #echo wp_create_nonce('popup_form_nonce'); ?>" />

    Interestingly, the nonce value was the same for both.

    When the form is submitted, it runs in a JS check and then it is forwarded with “fetch(‘/wp-json/popupmailer/v1/mail” and processed server-side.

    let object = {};
  formData.forEach(function(value, key){
    object[key] = value;
  });
  
  // send data
  fetch('/wp-json/popupmailer/v1/mail', {
    method: 'POST',
    headers: {
      'content-type': 'application/json'
    },
    body: JSON.stringify(object)
  })
  // .then(response => response.json())
  .then(response => response.text())
  .then(data => {
    console.log('response text:', data);
    const jsonData = JSON.parse(data);

    Server-side processing

    	$nonce = $request->get_param('_wpnonce');
	$server_nonce = wp_create_nonce('popup_form_nonce');
	
	error_log(print_r($request->get_params(), true));
	error_log('Nonce: ' . $nonce);
	error_log('Name: ' . $request->get_param('name'));
	error_log('Tel: ' . $request->get_param('tel'));
	error_log('Time: ' . $request->get_param('time'));

	if (!wp_verify_nonce($nonce, 'popup_form_nonce')) {
		return new WP_REST_Response(array('status' => 'error', 'message' => 'Invalid nonce', 'nonce_received' => $nonce, 'server_nonce' => $server_nonce, 'request_parameters' => $request->get_params()), 403);
	}
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    WP nonces are not true nonces. They can be used more than once. Assuming the same seed phrase is used (as is normal), any particular user will see the same nonce for up to 12 hours. That nonce will validate as many times as it is used for up to 24 hours. For typical WP nonce usage of validating forms, this “feature” is not of any concern.

    If you require better security from a true nonce, you’d need to implement your own nonce scheme where it is truly only used once.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    More to the point, nonces should only be used for logged in users. For anonymous users, the nonce will be the same.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress & _nonce’ is closed to new replies.