WordPress.org

Make WordPress Core

Opened 6 years ago

Last modified 4 months ago

#27165 new defect (bug)

Incorrect nonce supplied when authenticated session expires

Reported by: joe_bopper Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.8.1
Component: Login and Registration Keywords: needs-testing
Focuses: Cc:
PR Number:

Description

I was using a nonce (with action name) for a nopriv ajax request and found nonce supplied via page load was invalid, whereas nonce supplied via ajax request was valid. This only occurs when admin area prompts to re-authenticate current user.

In my system, a nonce (action 'xyz', say) is given via localize script to the client on page load. This nonce is then used to verify a subsequent nopriv ajax request. This request then responds with the latest nonce (for 'xyz') (which may be the same, of course) for any further ajax requests.

However, I suddenly found that upon page reload, the nonce provided via localize script was invalid. Assuming this was a bug in my code, I commented out nonce verification in my action function. I then discovered that the "new" nonce being supplied in the ajax response was always different to the initial nonce despite the same action name being used in its creation. On further experimentation it became apparent that the nonce supplied by ajax response was valid and did verify with further ajax requests. I then found I had the admin area open in a separate tab and it was prompting me to re-authenticate. Upon logging back in the nonces realigned and worked again.

tl;dr: Requests by ajax consider current user differently to fresh page load (for nonces at least) when in logged in limbo. The bug is that it shouldn't.

It's a very minor issue but it was very confusing and took me quite some time to find the somewhat non-intuitive solution.

Change History (4)

#1 @joe_bopper
6 years ago

  • Severity changed from normal to minor

#2 follow-up: @nacin
6 years ago

  • Keywords close added

Hi joe_bopper, nonces are not only specific to the action (and a window of time) but also to the user. A logged-in user gets a nonce specific to them; a logged-out user gets a completely different nonce. So I'm not sure there's anything we can do here; you may need to re-evaluate what you're doing and make adjustments as necessary.

#3 in reply to: ↑ 2 @joe_bopper
6 years ago

  • Keywords close removed

Hi nacin, thanks for getting back to me.

I'm aware nonces are user-dependent and perhaps I wasn't clear enough in my initial ticket. The user (as in the person) is the same throughout. The issue occurs when the user is logged-in (with admin area in a seperate tab, say) and their authentication expires. The admin area then prompts the user to reconfirm their password. If the user neglects to do this (they're not doing anything in the admin area so aren't aware, for example), a nonce provided by page refresh is different to one provided by ajax despite the user, the user's authenticated status, the action name and the 12hr window of time all being the same.

My guess is that while the user is in this state of logged-in limbo, a request by ajax still considers the user to be logged-in whereas a fresh page load considers the user logged-out.

It is only a minor bug because it will only occur rarely but it is unexpected behaviour. Of course, it is no longer an issue for me as I'm aware that should it happen again, I can just log back in (or log out) to sort it out.

#4 @chriscct7
4 years ago

  • Keywords needs-testing added
Note: See TracTickets for help on using tickets.