[wp-hackers] Rethinking check_admin_referer()

John Joseph Bachir jjb at ibiblio.org
Wed Apr 19 20:40:36 GMT 2006


On Wed, 19 Apr 2006, Owen Winkler wrote:

> Primarily, using database storage for the nonce becomes inconvenient for 
> the case with two users logged in under the same account at different 
> locations, since they would presumably be performing different 
> operations at the same time, and could very likely never have a valid 
> nonce, according to what's stored in the database.

There could be a nonce per action and per object. And there's nothing 
wrong with having multiple nonces for the same action on the same object 
(which eventually time out). This is how Lyceum's nonce system works.

> By the time you code a way around that, you've probably reached the 
> complexity of the purely computational nonce we've been suggesting, AND 
> you've added an additional albeit minor database drain.

What do you mean by purely computational nonce? (sorry if I missed that 
bit of the thread)

John
----
aim/yim/msn/jabber.org: johnjosephbachir
713.494.2704
irc://irc.freenode.net/lyceum
http://lyceum.ibiblio.org/
http://blog.johnjosephbachir.org/



More information about the wp-hackers mailing list