[wp-trac] [WordPress Trac] #53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
WordPress Trac
noreply at wordpress.org
Sun May 23 23:48:11 UTC 2021
#53236: Nonce lifespans are inaccurate and unintuitively affected by timezones
-------------------------------------------------+-------------------------
Reporter: lev0 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Date/Time | Version: 2.5
Severity: minor | Resolution:
Keywords: has-patch needs-testing needs-unit- | Focuses: docs
tests |
-------------------------------------------------+-------------------------
Changes (by peterwilsoncc):
* focuses: => docs
* version: => 2.5
Comment:
I agree with Rarst that the best solution for WordPress here is a
documentation improvement to indicate a nonce is valid for between 12 and
24 hours, and the nonce tick is for the maximum life span rather than the
minimum.
I can see arguments either way as to whether the defined nonce tick should
be maximum or minimum validity but as the codes been in place for many
years, it needs to remain as is.
As the nonce functions are pluggable, the changes proposed in [attachment
:"nonce-age-resolution.patch"] could be released as a plugin but I think
they're risky to include in WordPress Core.
I've set the version to 2.5 as that's when `wp_nonce_tick()` and the
related filter were added with the tick being the maximum life span.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53236#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list