My understanding is that wordpress nonces (not exactly a "number used once") prevent cross-origin request forgery and last 12 hours.
I'm displaying a schedule of classes with a registration button for each class. I am re-using the nonce so that each button repeats the same nonce in a data attribute:
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
Users aren't logged in to wordpress. I'm storing their account data, returned from a successful API login, in a WP_Session variable.
Nonce is created with this line:
wp_create_nonce( 'register_for_an_event' )
And verified in a an ajax function here:
check_ajax_referer($_REQUEST['nonce'], "register_for_an_event", false);
I am logging some of the transactions to a text file and finding that different users are frequently submitting the same nonce, which seems natural as it's simply an html data attribute.
Is this a reasonable use of wp nonces?
The reason I'm concerned is that I'm told that intermittently a user will attempt to register for an event via the API, and instead, the previous user to register will be added to the event a second time.
Since users to not have WP accounts, I'm imagining that nonces are not the solution to this problem.
My understanding is that wordpress nonces (not exactly a "number used once") prevent cross-origin request forgery and last 12 hours.
I'm displaying a schedule of classes with a registration button for each class. I am re-using the nonce so that each button repeats the same nonce in a data attribute:
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
Users aren't logged in to wordpress. I'm storing their account data, returned from a successful API login, in a WP_Session variable.
Nonce is created with this line:
wp_create_nonce( 'register_for_an_event' )
And verified in a an ajax function here:
check_ajax_referer($_REQUEST['nonce'], "register_for_an_event", false);
I am logging some of the transactions to a text file and finding that different users are frequently submitting the same nonce, which seems natural as it's simply an html data attribute.
Is this a reasonable use of wp nonces?
The reason I'm concerned is that I'm told that intermittently a user will attempt to register for an event via the API, and instead, the previous user to register will be added to the event a second time.
Since users to not have WP accounts, I'm imagining that nonces are not the solution to this problem.
Share Improve this question asked Dec 12, 2018 at 1:37 MikeiLLMikeiLL 6091 gold badge9 silver badges22 bronze badges1 Answer
Reset to default 1Nonces are not the way to solve your problem. You're using it correctly. I would look at the $wpdb->insert array you're probably using, and implement a check for data to exist that matches the proposed "new" entry.
I actually set up a Twilio SMS to fire off when weird validation errors are encountered. I have it text me a message and the database row id. I usually know about the problem while my client is still on their device having trouble. They think I'm magic when I text them and ask if they're having an issue.