[wp-trac] [WordPress Trac] #24447: Avoid loosing data after nonces expire
WordPress Trac
noreply at wordpress.org
Fri May 31 01:12:41 UTC 2013
#24447: Avoid loosing data after nonces expire
----------------------------+------------------
Reporter: azaozz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: |
----------------------------+------------------
Comment (by azaozz):
Thinking more about this especially for the Edit Post screen: refreshing
the nonces fails every time the user's computer goes offline (or to
"sleep") whitin 12 hours of loading the screen and stays offline for at
least 12 hours (so the total time since loading the screen exceeds 24
hours).
In this case we don't refresh the nonces as we cannot check the old
values. Possible solutions:
- Add a "grace period" for some nonces.
- May have security implications.
- Would not cover nonces added by plugins.
- Even if we extend certain nonces' life to lets say 48 hours, they would
still expire and some users may still loose data or at least see the AYS
screen.
- When nonces have expired, ask the user to enter his/her password and
override them.
- Will work on form submission, would be harder to do for ajax requests.
- May cover nonces added by plugins but not for ajax.
- Show an error that the page has expired including a link to open the
same screen in a new window so the user can copy/paste any unsaved
content.
All three options are more or less lame and/or don't solve this
completely.
There are other implications of keeping a page open for a long time: a
post may have been edited by another user or a setting may have been
changed and the current screen won't show this. So even if we make it
possible to save changes after an extended period, the user may be
overwriting or deleting data. In that terms the third option looks like
the right one, perhaps in combination with one of the others.
Other suggestions welcome.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24447#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list