[wp-trac] [WordPress Trac] #27165: Incorrect nonce supplied when authenticated session expires
WordPress Trac
noreply at wordpress.org
Thu Feb 20 11:55:45 UTC 2014
#27165: Incorrect nonce supplied when authenticated session expires
------------------------------------+-----------------------------
Reporter: joe_bopper | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 3.8.1
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
I was using a nonce (with action name) for a nopriv ajax request and found
nonce supplied via page load was invalid, whereas nonce supplied via ajax
request was valid. This only occurs when admin area prompts to re-
authenticate current user.
In my system, a nonce (action 'xyz', say) is given via localize script to
the client on page load. This nonce is then used to verify a subsequent
nopriv ajax request. This request then responds with the latest nonce (for
'xyz') (which may be the same, of course) for any further ajax requests.
However, I suddenly found that upon page reload, the nonce provided via
localize script was invalid. Assuming this was a bug in my code, I
commented out nonce verification in my action function. I then discovered
that the "new" nonce being supplied in the ajax response was always
different to the initial nonce despite the same action name being used in
its creation. On further experimentation it became apparent that the nonce
supplied by ajax response was valid and did verify with further ajax
requests. I then found I had the admin area open in a separate tab and it
was prompting me to re-authenticate. Upon logging back in the nonces
realigned and worked again.
tl;dr: Requests by ajax consider current user differently to fresh page
load (for nonces at least) when in logged in limbo. The bug is that it
shouldn't.
It's a very minor issue but it was very confusing and took me quite some
time to find the somewhat non-intuitive solution.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27165>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list