id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
15243,Incorrect user is set when using Ajax Nonces over HTTPS Connection,jeremysawesome,,"When using ajax nonces over a HTTPS connection the wp_verify_nonce function calculates an incorrect nonce and fails. This only occurs when a user is logged into WordPress. Somehow WordPress is unable to identify the right user when an ajax request comes in over https. The wp_hash function then calculates the nonce incorrectly and therefore the nonce check fails.


I've tested this by doing the following:
Added this code to both wp_create_nonce and wp_verify_nonce functions:

{{{
   echo '<pre>';
   echo print_r(array(
      'user_id'=>$uid,
      'i'=>$i,
      'action'=>$action,
      'wp_hash'=>substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10)
   ));
   echo '</pre>';
}}}

I then ran several tests from the frontend of a site using ajax on both an HTTP and HTTPS connection. I tested the HTTPS connection while not logged in and while logged in, then again for the HTTP connection. Pay special attention to the wp_hash that get's calculated for each connection. You will notice that the hash is correct for every test except when logged in to wordpress and connecting over https.


Here are the results:



{{{
Attempt 1 OVER HTTPS:
   ---------- When not logged in wp_create_nonce ----------
   Array
   (
       [user_id] => 0
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [wp_hash] => d0a78cb732
   )

   ---------- When not logged in wp_verify_nonce ----------
   Array
   (
       [user_id] => 0
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [nonce] => d0a78cb732
       [wp_hash] => d0a78cb732
   )

   ---------- When logged in wp_create_nonce ----------
   Array
   (
       [user_id] => 1
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [wp_hash] => 75855d4e1d
   )

   ---------- When logged in wp_verify_nonce ----------
   Array
   (
       [user_id] => 0
       [i] => 29810
       [action] => dna_wpec_reps_nonce
       [nonce] => 75855d4e1d
       [wp_hash] => d0a78cb732
   )

OVER HTTP://

   ---------- When not logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )


   ---------- When not logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 0
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => d0a78cb732
   )

   ---------- When logged in wp_create_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

   ---------- When logged in wp_verify_nonce ----------
   Array
   (
      [user_id] => 1
      [i] => 29810
      [action] => dna_wpec_reps_nonce
      [wp_hash] => 75855d4e1d
   )

}}}
",defect (bug),closed,normal,,General,3.0.1,normal,worksforme,reporter-feedback,