[wp-trac] [WordPress Trac] #27165: Incorrect nonce supplied when authenticated session expires
WordPress Trac
noreply at wordpress.org
Sun Feb 23 22:41:44 UTC 2014
#27165: Incorrect nonce supplied when authenticated session expires
------------------------------------+------------------------------
Reporter: joe_bopper | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 3.8.1
Severity: minor | Resolution:
Keywords: | Focuses:
------------------------------------+------------------------------
Changes (by joe_bopper):
* keywords: close =>
Comment:
Hi nacin, thanks for getting back to me.
I'm aware nonces are user-dependent and perhaps I wasn't clear enough in
my initial ticket. The user (as in the person) is the same throughout. The
issue occurs when the user is logged-in (with admin area in a seperate
tab, say) and their authentication expires. The admin area then prompts
the user to reconfirm their password. If the user neglects to do this
(they're not doing anything in the admin area so aren't aware, for
example), a nonce provided by page refresh is different to one provided by
ajax despite the user, the user's authenticated status, the action name
and the 12hr window of time all being the same.
My guess is that while the user is in this state of logged-in limbo, a
request by ajax still considers the user to be logged-in whereas a fresh
page load considers the user logged-out.
It is only a minor bug because it will only occur rarely but it is
unexpected behaviour. Of course, it is no longer an issue for me as I'm
aware that should it happen again, I can just log back in (or log out) to
sort it out.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27165#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list