[wp-trac] [WordPress Trac] #29312: No documented/recommended nonce refresh functionality in Heartbeat.

WordPress Trac noreply at wordpress.org
Fri Aug 22 07:49:20 UTC 2014

#29312: No documented/recommended nonce refresh functionality in Heartbeat.
 Reporter:  programmin                        |      Owner:
     Type:  defect (bug)                      |     Status:  new
 Priority:  normal                            |  Milestone:  Awaiting
Component:  HTTP API                          |  Review
 Severity:  normal                            |    Version:  trunk
  Focuses:  javascript, docs, administration  |   Keywords:
 Oddly enough it seems there isn't an obvious way to refresh nonces that
 may be needed on the page after heartbeat-api login dialog. For example,
 go to wordpress plugins listing page, notice the activate, deactivate
 links all have a nonce part in the request.

 In a second tab, log out of the site, and go back to plugin listing page.

 After awhile, the page realizes it's not logged in, and pops up a log in
 screen. Log in, and click an "activate" or "deactivate" button.

 Notice it gives the nonce-failure message, "are you sure you want to do
 this"? Because the previous session's nonces don't work. Why does
 Wordpress not know to refresh these nonces? I thought new nonces would be
 sent back as a heartbeat-ajax, but it looks like there isn't an ajax
 request with the login screen.

 It seems $(document).on('heartbeat-nonces-expired') can be used to detect
 when this situation happens, but it happens many times after login
 successful, is not just triggered once.

Ticket URL: <https://core.trac.wordpress.org/ticket/29312>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list