[wp-trac] [WordPress Trac] #53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
WordPress Trac
noreply at wordpress.org
Thu May 20 09:51:47 UTC 2021
#53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
--------------------------+-----------------------------
Reporter: lev0 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: minor | Keywords:
Focuses: |
--------------------------+-----------------------------
The docs on
[[https://developer.wordpress.org/reference/functions/wp_verify_nonce/|wp_verify_nonce()]]
specify that nonces are either 0-12 or 12-24 hours old by default, but
this isn't true. In reality, the value `1` means < 12 hours old, but `2`
means anywhere from 1 second to < 24 hours old.
Observe what happens to the nonce tick value over a day:
||=local time=||=seconds since epoch=||=tick=||
||2021-05-20T00:00:00+03:00||1621458000||37534||
||2021-05-20T01:00:00+03:00||1621461600||37534||
||2021-05-20T02:00:00+03:00||1621465200||37534||
||2021-05-20T03:00:00+03:00||1621468800||37534||
||2021-05-20T04:00:00+03:00||1621472400||37535||
||2021-05-20T05:00:00+03:00||1621476000||37535||
||2021-05-20T06:00:00+03:00||1621479600||37535||
||2021-05-20T07:00:00+03:00||1621483200||37535||
||2021-05-20T08:00:00+03:00||1621486800||37535||
||2021-05-20T09:00:00+03:00||1621490400||37535||
||2021-05-20T10:00:00+03:00||1621494000||37535||
||2021-05-20T11:00:00+03:00||1621497600||37535||
||2021-05-20T12:00:00+03:00||1621501200||37535||
||2021-05-20T13:00:00+03:00||1621504800||37535||
||2021-05-20T14:00:00+03:00||1621508400||37535||
||2021-05-20T15:00:00+03:00||1621512000||37535||
||2021-05-20T16:00:00+03:00||1621515600||37536||
||2021-05-20T17:00:00+03:00||1621519200||37536||
||2021-05-20T18:00:00+03:00||1621522800||37536||
||2021-05-20T19:00:00+03:00||1621526400||37536||
||2021-05-20T20:00:00+03:00||1621530000||37536||
||2021-05-20T21:00:00+03:00||1621533600||37536||
||2021-05-20T22:00:00+03:00||1621537200||37536||
||2021-05-20T23:00:00+03:00||1621540800||37536||
…and over the boundary of a tick:
||=local time=||=seconds since epoch=||=tick=||
||2021-05-20T14:59:58+03:00||1621511998||7535||
||2021-05-20T14:59:59+03:00||1621511999||7535||
||2021-05-20T15:00:00+03:00||1621512000||7535||
||2021-05-20T15:00:01+03:00||1621512001||7536||
||2021-05-20T15:00:02+03:00||1621512002||7536||
In this example, you can see that a nonce generated at 3pm and verified
one second later will return 2 because of the tick change. The ticks do
not align with timezones due to their basis in universal time, so nonces
will always appear “old” to your code at certain times of the day, as
touched on in ticket:33635#comment:2.
I haven't thought of a way to reduce the huge variance in ages that have
equal nonce values, but I did think of a way to make them more
predictable. I've attached a patch that would align ticks to WP's timezone
so there would be a predictable two ticks per calendar day, a.m. and p.m.,
starting at 00:00.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53236>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list