[wp-trac] [WordPress Trac] #21111: Make nonce unique for users AND non-users
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 29 14:17:46 UTC 2012
#21111: Make nonce unique for users AND non-users
-------------------------+-----------------------------
Reporter: sc0ttkclark | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Keywords:
-------------------------+-----------------------------
Currently, wpnonce works from the nonce tick + action + current user ID.
That means, nonce is only guaranteed unique for the current user and all
other non-users can potentially share the same nonce.
As a solution to this problem, I'm requesting we add additional unique-
ness for non-users. See below for my suggestion, it would go directly
below the $uid variable set, within wp_create_nonce and wp_verify_nonce.
{{{
if ( empty( $uid ) )
$uid = uniqid( 'wpnonce_', true );
}}}
The use case for this addition, is for usage within a theme for public
forms and other actions that do not require a logged in user.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21111>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list