[wp-trac] [WordPress Trac] #53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
WordPress Trac
noreply at wordpress.org
Thu May 20 20:10:30 UTC 2021
#53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
-------------------------------------------------+-------------------------
Reporter: lev0 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Date/Time | Version:
Severity: minor | Resolution:
Keywords: has-patch needs-testing needs-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Comment (by Rarst):
Ok, so I think the problem is that documentation lies. It says "A nonce is
valid for 24 hours" however from quick look the accurate statement would
be "A nonce is valid within time tick it was created in and the one
following it". So something like at most 24 hours (nonce created at the
very start of a tick) and at least 12 hours plus 1 second (nonce created
at the very end of a tick).
However I do not follow what aligning nonces to time zone accomplishes. It
seems the issue will remain exactly the same, it would only move ticks
relatively to UTC time. The generation and check logic would be exactly
the same. Plus any weird timezone issues that would drag into it.
I think documentation could be improved to reflect the real logic. So far
I do not see the need to change tick generation logic.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53236#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list