[wp-trac] [WordPress Trac] #48356: wp_create_nonce(...) and check_ajax_referer(...) fails on the 2nd AJAX call if that is two-action AJAX with AJAX-LOGIN as the first action

WordPress Trac noreply at wordpress.org
Thu Oct 17 14:35:47 UTC 2019 

#48356: wp_create_nonce(...) and check_ajax_referer(...) fails on the 2nd AJAX call
if that is two-action AJAX with AJAX-LOGIN as the first action
--------------------------+-------------------------
 Reporter:  KestutisIT    |       Owner:  (none)
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  General       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  2nd-opinion   |     Focuses:  javascript
--------------------------+-------------------------
Changes (by KestutisIT):

 * keywords:   => 2nd-opinion
 * status:  closed => reopened
 * focuses:   => javascript
 * resolution:  invalid =>


Comment:

 Replying to [comment:2 ocean90]:
 > Hello @KestutisIT, thanks for the report.
 >
 > Nonces are tied to user sessions and therefore they will be different
 between non-logged-in users and logged-in users. If you need something to
 ensure "source authenticity" you have to use your own implementation and
 don't use nonces.
 I cannot quote, as I do not remember on which WordPress page that was
 written, but as I remember, it was saying, you HAVE to rely on WordPress
 authentication, sanitation and security methods and features, and do not
 reinvent your wheel yourself. It is same as including my own jQuery. And
 probably in the future there would be an issue to pass plugin upload
 validation to w.org with 'custom made' REST API.
 Especially for the nonce, as from 'Operating System for the Open Web' I
 expect to get nonce as granted to work in modern-web world (where AJAX are
 included and widely used).
 I believe we need to support here an extra parameter for create_nonce that
 would say what if will return the same nonce for both.
 I don't think it is good to create my own nonce method here, as this is
 not a niche scope - more and more plugins rely on LOGGED-IN state, like
 BuddyPress, bbPress and that is a large amount of WordPress.  And
 WordPress core says that I MUST CHECK with wp_check_referer. I believe
 current or later Plugin validator plugin's will reject the plugin if this
 is not used. I even got to explain when I made sanitation in the model,
 and not in the controller, and mods of W.org checked in the controller.

 So, I'm reopening the ticket, as I strongly believe there has to be done
 regarding this in WordPress core, as it is first on all related to the
 basics of security, as as long as WordPress has build-it LOGIN / LOGOUT
 mechanism, and WP_User is a part of WordPress core, the has to be a way to
 handle this via WordPress core as well.
 I also add '2nd opinion tag'. I also do not understand why you removed
 Javascript tag. What was the reason for that?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48356#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list