[wp-trac] [WordPress Trac] #53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
WordPress Trac
noreply at wordpress.org
Fri May 21 08:02:15 UTC 2021
#53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
-------------------------------------------------+-------------------------
Reporter: lev0 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Date/Time | Version:
Severity: minor | Resolution:
Keywords: has-patch needs-testing needs-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Comment (by lev0):
I care less about the return values than making nonce expiry consistent.
Retaining `1` & `2` is purely for backwards compatibility. I'm not in the
habit of speculating about how others should or do use WP; citing core
usage is almost irrelevant given its popularity and extensibility.
Calendar-aligned ticks likely means fewer expired nonces but is only
really helpful if ticks remain 2/day. Finer resolution of ticks obviates
the benefit of alignment.
Finer ticks have the advantage of making a nonce's guaranteed minimum
lifespan much closer to the expected `nonce_life` value. The effective
formula in use is (n-1)/n, so 2 ticks/life = (2-1)/2 = 1/2 = 12 hours, but
increasing the ticks to 6/life (as in my example patch) makes this minimum
5/6 = 20 hours. That's a significant difference as it's then longer than
most people are contiguously awake.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53236#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list