[wp-trac] [WordPress Trac] #24447: Avoid loosing data after nonces expire

WordPress Trac noreply at wordpress.org
Fri May 31 01:12:41 UTC 2013 

#24447: Avoid loosing data after nonces expire
----------------------------+------------------
 Reporter:  azaozz          |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  3.6
Component:  Administration  |     Version:
 Severity:  normal          |  Resolution:
 Keywords:                  |
----------------------------+------------------

Comment (by azaozz):

 Thinking more about this especially for the Edit Post screen: refreshing
 the nonces fails every time the user's computer goes offline (or to
 "sleep") whitin 12 hours of loading the screen and stays offline for at
 least 12 hours (so the total time since loading the screen exceeds 24
 hours).

 In this case we don't refresh the nonces as we cannot check the old
 values. Possible solutions:

 - Add a "grace period" for some nonces.
  - May have security implications.
  - Would not cover nonces added by plugins.
  - Even if we extend certain nonces' life to lets say 48 hours, they would
 still expire and some users may still loose data or at least see the AYS
 screen.

 - When nonces have expired, ask the user to enter his/her password and
 override them.
  - Will work on form submission, would be harder to do for ajax requests.
  - May cover nonces added by plugins but not for ajax.

 - Show an error that the page has expired including a link to open the
 same screen in a new window so the user can copy/paste any unsaved
 content.

 All three options are more or less lame and/or don't solve this
 completely.

 There are other implications of keeping a page open for a long time: a
 post may have been edited by another user or a setting may have been
 changed and the current screen won't show this. So even if we make it
 possible to save changes after an extended period, the user may be
 overwriting or deleting data. In that terms the third option looks like
 the right one, perhaps in combination with one of the others.

 Other suggestions welcome.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24447#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list