[wp-trac] Re: [WordPress Trac] #2678: Nonces instead of referers

WordPress Trac wp-trac at lists.automattic.com
Wed Apr 26 19:53:11 GMT 2006

#2678: Nonces instead of referers
       Id:  2678            |      Status:  new                     
Component:  Administration  |    Modified:  Wed Apr 26 19:53:11 2006
 Severity:  normal          |   Milestone:                          
 Priority:  normal          |     Version:  2.1                     
    Owner:  anonymous       |    Reporter:  ringmaster              
Comment (by masquerade):

 {{{This solution tries to use a time check, but the logic doesn't work.}}}

 Sure it does

 {{{This code here is the problem: >$i = ceil(time() / 43200);}}}
 Not quite, keep reading

 {{{That takes the number of seconds since January 1 1970 00:00:00 GMT and
 counts how many 30 day chunks there have been.}}}

 No, since when was 43200 seconds 30 days? Last I checked, 43200 / 60
 (seconds) / 60 (minutes) = 12 hours.

 {{{The nonce evaluation simply checks to see if you are in the same 30 day
 chunk of time. It does not say "this nonce is valid for 30 days." In fact,
 if you visit this site with only one second left in the 30 day chunk, you
 will have 1 second in which to do all of your work.}}}

 You didn't look at the logic which checks, which also checks $i-1 against
 the hash, making the lifetime of the hash 12 hours to 24 hours.

 {{{Additionally, all days within that thirty day chunk evaluate as being
 the same chunk. So, as salt, $i really does nothing right now. So I don't
 think a solution of "just check the next chunk too" is a good one. A nonce
 that can be valid for two months is not really time based, imho.}}}

 Months are far too long, which is why no nonces last more than a day.

 {{{Generally speaking when used for security purposes in applications,
 Nonces should be valid for as short a time as possible. When used as a
 session key, this normally means a nonce is valid for minutes, not

 43200/120 minutes is much better than your accused 30 days.

Ticket URL: <http://trac.wordpress.org/ticket/2678>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list