WordPress does not update nonce token on server

Question

WordPress does not update nonce token on server

I have a form in my plugin similar to this:

<!-- Client form -->
<form>
   <?php wp_nonce_field('my_form','_my_token'); ?>
   <!-- Additional form fields -->
</form>

it generates these two fields:

<input type="hidden" id="_my_token" name="_my_token" value="abcdefghij" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/tools.php?page=my-plugin%2Fplugin.php" />

When I submit this form, I validate it as follows:

//Server side check
if(!wp_verify_nonce($_POST['_my_token'],'my_form')){
   echo 'Invalid token! Expected token: '. wp_create_nonce( 'my_form');
   exit;
}

The problem is that the token never changes on the server, it is always the same, and verification at this stage is always not performed. If I log out of WordPress and log in again, it has changed on the client’s token, but on the server it is the same.

I tested this locally, and when I log in again, it always changes the token on both sides, but in my production environment it only changes on the client side.

, - , , . WP Super Cache, , . , , , . ?

+4

php wordpress wordpress-plugin custom-wordpress-pages

gradosevic 16 . '16 10:56

:

538

/ WordPress FTP-?

6

Wordpress

2

2. CSRF

1