nonce_user_logged_out and unique UIDs
-
I am struggling to understand something related to
nonce_user_logged_out
hook and itsuid
.So according the doc, when we
wp_create_nonce
and the user is logged out, the nonce generator assumesuid = 0
.
Thus I apply thenonce_user_logged_out
filter, and passrand()
asuid
(ortime()
or whatever _unique_ value that is generated anew and different from any previous everytime the form is loadedThis seems to break
check_ajax_referer
. In fact,check_ajax_referer
only appears to validate if theuid
is “fixed”.For example, if I pass
123
touid
then it validates, if I passtime()
orrand()
it does not.I do understand this is because the values I use are truly unique: not once the same. However I do not understand is, it appears that when the form is submitted (via AJAX), and the JS sends the POSTed data with the (correct) nonce to the PHP callback, a NEW nonce is generated??
The form is not loaded again.
In fact, if we observe the HTML of the form – the nonce will change each time the form reloads, yes, but of course stay the same as long we do not reload the form.
The ajax POST request does NOT reload the form, it merely passes the data to the PHP callback and in that callback the nonce check happens, which SHOULD check for the nonce generated when the form was loaded, nor for some new nonce.If it is not clear – here the logic is illustrated with some dummy code:
1.
add_filter( 'nonce_user_logged_out', 'make_uid_unique', 10, 2 );
2. Callbackmake_uid_unique
returns$uid = time();
or$uid = rand();
if$action
ismy_nonce
3. HTML Form has<input type="hidden" name="nonce_s" value="<?php echo esc_attr( wp_create_nonce( 'my_nonce' ) ); ?>">
4. jQuery ajax POSTsnonce: $('input[name="nonce_s"]').val(),
5. PHP callback doescheck_ajax_referer( 'my_nonce', 'nonce' );
This fails, even if the Nonce visible in
nonce_s
input field is the exact same as passed in the ajax POSTnonce
.
As soon you pass for example the IP, or any other static value innonce_user_logged_out
filter, it works.I do not understand why. It appears to me the nonce is regenerated on AJAX post request, but that does not make sense, since the PHP for that is not executed, at all, unless the page is reloaded.
- The topic ‘nonce_user_logged_out and unique UIDs’ is closed to new replies.