Tag: nonce

WordPress caching and nonce lifespan

on June 18, 2012 in WordPress with 9 comments by

A security feature available in WordPress is a “nonce”. Generally, a “nonce” is a token that can only be used once and are often used to prevent unauthorised people  from submitting data on behalf of another person. Let’s simplify that:

  • Person A is given nonce “A”
  • Person B is given nonce “B”
  • Person B attempts to submit data to the server on behalf of person A
  • The server reads the submitted data from person B as “Person A with nonce  ‘B’ is submitting data”. Knowing that Person A does not have nonce ‘B’, it ignores/denies the submitted data.

WordPress differs by giving it a lifespan and allowing the nonce to be used more than once within that lifespan by the same person. And by the ‘same person’ it is meant a logged in WordPress user, or an anonymous user (visitor not logged in). read more →