WordPress.org

Make WordPress Core

Changes between Initial Version and Version 24 of Ticket #31897


Ignore:
Timestamp:
02/24/2016 11:26:28 PM (4 years ago)
Author:
westonruter
Comment:

I just realized that all nonces now get updated when the preview refreshes as of #35617, making this ticket less important. This ticket now specifically fix the issue where the Customizer is left open for a long time without the preview being refreshed to keep the nonces up to date. Nevertheless, if the user does leave the browser session open for such a long time, it is also likely that their session will expire and they will need to re-login anyway: by default, non-remember user authentication sessions expire after 48 hours (auth_cookie_expiration) and nonces expire after 24 hours (nonce_life).

Nevertheless, the integration of Heartbeat into the Customizer will be useful for plugins generally, so I'd love to see that happen, and keeping nonces up-to-date should be the first application of Heartbeat in the Customizer. That can either be made the scope of this ticket, or another ticket can be made specific for that feature.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #31897

    • Property Status changed from new to assigned
    • Property Priority changed from normal to low
    • Property Keywords needs-unit-tests added
    • Property Owner set to voldemortensen
    • Property Type changed from defect (bug) to enhancement
  • Ticket #31897 – Description

    initial v24  
    1 Currently the Customizer's nonces get updated when the preview gets refreshed (only the `save` and `preview` nonces, not the `update-widget` nonce, however). If the user leaves the window open in the background for a long time, they will get stale nonces. We should be using the Heartbeat API and the `wp_ajax_customize_refresh_nonces` filter introduced in #31294 to keep the nonces up date.
     1Currently the Customizer's nonces get updated when the preview gets refreshed ~~(only the `save` and `preview` nonces, not the `update-widget` nonce, however). If the user leaves the window open in the background for a long time, they will get stale nonces. We should be using the Heartbeat API and the `wp_ajax_customize_refresh_nonces` filter introduced in #31294 to keep the nonces up date.~~ (This is no longer true as of #35617.)
    22
    33See also #31436 where Heartbeat integration will also be required to handle Customizer concurrency issues.