Geek Answers Handbook

Where is WordPress nonces stored?

I tried to figure out where WordPress stores all nonces. But could not find clues. At first I checked the database, but could not find a table named wp_nonces.

+8
php wordpress
source share
3 answers

I posted this question 11 months ago.

All the answers I received were excellent and helped me a lot.

But none of them addressed the storage location of WordPress nonces. That was my real question.

So, I dug up the WordPress source code and was able to find the right storage location for WordPress nonces.

They are stored in user sessions.

These are unique tokens stored in a user session. Nonces have a specific lifespan.

If a user logs out of WordPress, then the characters will not be valid.

PS: I asked this question and now I am posting this answer to help others :)

+6
source share

Nonces are not stored directly anywhere, they are created using the wp_create_nonce function and checked using wp_verify_nonce .

These functions, in turn, use wp_hash for the hash along with the lifespan, user string, user_id, and session token stored in wp_usermeta, with the key session_tokens .

+2
source share

Nonces are one-time tokens created by WordPress to check various requests, such as adding a comment, deleting a post, deleting a user, etc.

They are not stored anywhere, and they should not be.

Take the following example; when managing content in WordPress, the Bin link might look something like this:

http://www.example.com/wp-admin/post.php?post=1337&action=trash&_wpnonce=369f188682

However, if you tried to change the page / message identifier in the URL to something else (see below), then nonce will no longer be valid, will return a 403 error and display: "Are you sure? Do you want to do this?"

http://www.example.com/wp-admin/post.php?post=9100&action=trash&_wpnonce=369f188682

Adding the _nonce hidden field (take Contact Form 7 as a basic example) is generally a good practice when embedding forms in WordPress because it prevents cross-site request forgery (CSRF), etc.

Resources

0
source share

More articles:


All Articles