Opened 3 years ago
Last modified 3 years ago
#53618 new defect (bug)
Nonce use for AJAX calls interferes with page caching
Reported by: | galbaras | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
There are many plugins, most notably Contact Form 7, that use nonce values to secure AJAX calls to the server. Since nonce values expire after 24 hours at the most, cached pages that contain nonces stop working if the page is not refreshed during that time.
This is a serious limitation of the nonce mechanism. Sorry I don't have a better idea, but I'm hoping that others will put their heads together and come up with one, because there are MANY people discussing this on the web.
Note: See
TracTickets for help on using
tickets.
This seems like a combination of issues that are outside of WordPress's control:
For logged in users, WordPress sends HTTP headers designed to prevent caching.
WP could send a default 12 hour expiry header for logged out users, but as it doesn't include anything that expires after 12 hours I really think any plugin using nonces for logged out users would be better placed to send the header.