[wp-trac] [WordPress Trac] #41993: wp_nonce_tick() - is division on 2 it a real need?

WordPress Trac noreply at wordpress.org
Tue Sep 26 12:07:00 UTC 2017 

#41993: wp_nonce_tick() - is division on 2 it a real need?
-------------------------+----------------------
 Reporter:  Tkama        |       Owner:
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  General      |     Version:  4.8.2
 Severity:  normal       |  Resolution:  invalid
 Keywords:               |     Focuses:
-------------------------+----------------------
Changes (by dd32):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 Hi @Tkama and welcome to Trac,

 The divide-by-two is due to the manner in which WordPress inplements
 nonces, you may find https://codex.wordpress.org/WordPress_Nonces has some
 useful information in it, of which I'll rehash some of here.

 In WordPress's implementation of Nonces, the nonce/number is generated as
 being valid for two "ticks", a 'tick' being effectively the number of
 half-lifes of the time that have occurred within the current `time()`.
 In other words, if you generate a nonce with a 24hrs lifespan, WordPress
 will generate a nonce valid for the current 12hr and the next 12hr time
 period. As a side effect, this also means that a 24hr lifespan is the
 upper limit, it's actually somewhere between 12-24hrs.

 The `/2` in `wp_nonce_tick()` is integral to that, it splits it into those
 two ticks (the .0 and the .5). So while it's halving the nonce life there,
 it's not actually halving the nonce life.

 You'll also note that `wp_verify_nonce()` returns which 'tick' the nonce
 is currently in:
 from: https://developer.wordpress.org/reference/functions/wp_verify_nonce/
 > return values: (false|int) False if the nonce is invalid, 1 if the nonce
 is valid and generated between 0-12 hours ago, 2 if the nonce is valid and
 generated between 12-24 hours ago.

 Hope this helps understand it better!

 '' This is to the best of my knowledge, I may be partially wrong in some
 aspects of this description, please don't rely upon this for security
 purposes, I'd advise reading the above link (and the extras in the
 Resources section() and the original implementation ticket for the
 details.''

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41993#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list