[wp-trac] [WordPress Trac] #52600: wp_nonce_ays('log-out') is confusing
WordPress Trac
noreply at wordpress.org
Tue Nov 9 00:59:28 UTC 2021
#52600: wp_nonce_ays('log-out') is confusing
------------------------------------+---------------------
Reporter: david.kryzaniak | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.9
Component: Login and Registration | Version:
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses:
------------------------------------+---------------------
Comment (by peterwilsoncc):
I agree with @hellofromTonya, on each front:
WP coding standards avoid double assignments for reasons of clarity.
----
The 403 HTTP response makes sense as the message should only be shown if
the nonce has expired. If the nonce is valid, then the confirmation screen
is bypassed.
Presuming a nonce of `9a9b9c9d9e` the following will not show the
confirmation screen:
http://example.com/wp-login.php?action=logout&_wpnonce=9a9b9c9d9e
The following URLs will show a confirmation screen due to the invalid
nonce:
http://example.com/wp-login.php?action=logout&_wpnonce=1a1b1c1d1e
http://example.com/wp-login.php?action=logout
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52600#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list