[wp-trac] [WordPress Trac] #29312: No documented/recommended nonce refresh functionality in Heartbeat.
WordPress Trac
noreply at wordpress.org
Fri Aug 22 07:49:20 UTC 2014
#29312: No documented/recommended nonce refresh functionality in Heartbeat.
----------------------------------------------+----------------------------
Reporter: programmin | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
Component: HTTP API | Review
Severity: normal | Version: trunk
Focuses: javascript, docs, administration | Keywords:
----------------------------------------------+----------------------------
Oddly enough it seems there isn't an obvious way to refresh nonces that
may be needed on the page after heartbeat-api login dialog. For example,
go to wordpress plugins listing page, notice the activate, deactivate
links all have a nonce part in the request.
In a second tab, log out of the site, and go back to plugin listing page.
After awhile, the page realizes it's not logged in, and pops up a log in
screen. Log in, and click an "activate" or "deactivate" button.
Notice it gives the nonce-failure message, "are you sure you want to do
this"? Because the previous session's nonces don't work. Why does
Wordpress not know to refresh these nonces? I thought new nonces would be
sent back as a heartbeat-ajax, but it looks like there isn't an ajax
request with the login screen.
It seems $(document).on('heartbeat-nonces-expired') can be used to detect
when this situation happens, but it happens many times after login
successful, is not just triggered once.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29312>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list