[wp-trac] [WordPress Trac] #31897: Update Customizer nonces via Heartbeat API

WordPress Trac noreply at wordpress.org
Wed Feb 24 23:26:30 UTC 2016 

#31897: Update Customizer nonces via Heartbeat API
------------------------------------------+-----------------------------
 Reporter:  westonruter                   |       Owner:  voldemortensen
     Type:  enhancement                   |      Status:  assigned
 Priority:  low                           |   Milestone:  Future Release
Component:  Customize                     |     Version:  3.4
 Severity:  normal                        |  Resolution:
 Keywords:  needs-patch needs-unit-tests  |     Focuses:  javascript
------------------------------------------+-----------------------------
Changes (by westonruter):

 * priority:  normal => low


Old description:

> Currently the Customizer's nonces get updated when the preview gets
> refreshed (only the `save` and `preview` nonces, not the `update-widget`
> nonce, however). If the user leaves the window open in the background for
> a long time, they will get stale nonces. We should be using the Heartbeat
> API and the `wp_ajax_customize_refresh_nonces` filter introduced in
> #31294 to keep the nonces up date.
>
> See also #31436 where Heartbeat integration will also be required to
> handle Customizer concurrency issues.

New description:

 Currently the Customizer's nonces get updated when the preview gets
 refreshed ~~(only the `save` and `preview` nonces, not the `update-widget`
 nonce, however). If the user leaves the window open in the background for
 a long time, they will get stale nonces. We should be using the Heartbeat
 API and the `wp_ajax_customize_refresh_nonces` filter introduced in #31294
 to keep the nonces up date.~~ (This is no longer true as of #35617.)

 See also #31436 where Heartbeat integration will also be required to
 handle Customizer concurrency issues.

--

Comment:

 I just realized that all nonces now get updated when the preview refreshes
 as of #35617, making this ticket less important. This ticket now
 specifically fix the issue where the Customizer is left open for a long
 time without the preview being refreshed to keep the nonces up to date.
 Nevertheless, if the user does leave the browser session open for such a
 long time, it is also likely that their session will expire and they will
 need to re-login anyway: by default, non-remember user authentication
 sessions expire after 48 hours (`auth_cookie_expiration`) and nonces
 expire after 24 hours (`nonce_life`).

 Nevertheless, the integration of Heartbeat into the Customizer will be
 useful for plugins generally, so I'd love to see that happen, and keeping
 nonces up-to-date should be the first application of Heartbeat in the
 Customizer. That can either be made the scope of this ticket, or another
 ticket can be made specific for that feature.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31897#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list