No recommended nonce refresh functionality in Heartbeat.

[programmin]

Oddly enough it seems there isn't an obvious way to refresh nonces that may be needed on the page after heartbeat-api login dialog. For example, go to wordpress plugins listing page, notice the activate, deactivate links all have a nonce part in the request.

In a second tab, log out of the site, and go back to plugin listing page.

After awhile, the page realizes it's not logged in, and pops up a log in screen. Log in, and click an "activate" or "deactivate" button.

Notice it gives the nonce-failure message, "are you sure you want to do this"? Because the previous session's nonces don't work. Why does Wordpress not know to refresh these nonces? I thought new nonces would be sent back as a heartbeat-ajax, but it looks like there isn't an ajax request with the login screen.

It seems $(document).on('heartbeat-nonces-expired') can be used to detect when this situation happens, but it happens many times after login successful, is not just triggered once.

[mark-k]

This can go even further and apply to all pages which have nonce. Getting the "are you sure...." message is always a WTF moment even for experienced users. Pages with nonces on them should suggest a refresh of the page when they detect they might have expired.

[leedo]

I must say I find this very frustrating. We recently began using 2FA on our install, which ends up logging users out every 48 hrs. This logout can happen while they're editing a post, at which point they'll be presented with a login dialog. The dialog's wording makes them think they can login and continue editing. The reality is that they can continue editing, but the second they try to save, they will be presented with the awful "are you sure..." message, and all their changes are lost.

[jdgrimes]

Related: #31897, #23216

[jdgrimes]

Related: #24447 (comment)