Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#29312 new enhancement

No recommended nonce refresh functionality in Heartbeat.

Reported by: programmin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.6
Component: Administration Keywords: dev-feedback
Focuses: javascript, administration Cc:


Oddly enough it seems there isn't an obvious way to refresh nonces that may be needed on the page after heartbeat-api login dialog. For example, go to wordpress plugins listing page, notice the activate, deactivate links all have a nonce part in the request.

In a second tab, log out of the site, and go back to plugin listing page.

After awhile, the page realizes it's not logged in, and pops up a log in screen. Log in, and click an "activate" or "deactivate" button.

Notice it gives the nonce-failure message, "are you sure you want to do this"? Because the previous session's nonces don't work. Why does Wordpress not know to refresh these nonces? I thought new nonces would be sent back as a heartbeat-ajax, but it looks like there isn't an ajax request with the login screen.

It seems $(document).on('heartbeat-nonces-expired') can be used to detect when this situation happens, but it happens many times after login successful, is not just triggered once.

Change History (8)

#1 @helen
4 years ago

  • Type changed from defect (bug) to enhancement
  • Version changed from trunk to 3.6

#2 @dd32
3 years ago

  • Component changed from HTTP API to Administration

#3 @mark-k
3 years ago

This can go even further and apply to all pages which have nonce. Getting the "are you sure...." message is always a WTF moment even for experienced users. Pages with nonces on them should suggest a refresh of the page when they detect they might have expired.

#4 @leedo
3 years ago

I must say I find this very frustrating. We recently began using 2FA on our install, which ends up logging users out every 48 hrs. This logout can happen while they're editing a post, at which point they'll be presented with a login dialog. The dialog's wording makes them think they can login and continue editing. The reality is that they can continue editing, but the second they try to save, they will be presented with the awful "are you sure..." message, and all their changes are lost.

This ticket was mentioned in Slack in #core by mark. View the logs.

3 years ago

#8 @DrewAPicture
3 years ago

  • Focuses docs removed
  • Keywords dev-feedback added
  • Summary changed from No documented/recommended nonce refresh functionality in Heartbeat. to No recommended nonce refresh functionality in Heartbeat.
Note: See TracTickets for help on using tickets.