Make nonce unique for users AND non-users
|Reported by:||sc0ttkclark||Owned by:||nacin|
Currently, wpnonce works from the nonce tick + action + current user ID. That means, nonce is only guaranteed unique for the current user and all other non-users can potentially share the same nonce.
As a solution to this problem, I'm requesting we add additional unique-ness for non-users. See below for my suggestion, it would go directly below the $uid variable set, within wp_create_nonce and wp_verify_nonce.
if ( empty( $uid ) ) $uid = uniqid( 'wpnonce_', true );
The use case for this addition, is for usage within a theme for public forms and other actions that do not require a logged in user.
Change History (13)
- Keywords dev-feedback removed
- Milestone changed from Awaiting Review to 3.5