Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#53618 new defect (bug)

Nonce use for AJAX calls interferes with page caching

Reported by: galbaras's profile galbaras Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


There are many plugins, most notably Contact Form 7, that use nonce values to secure AJAX calls to the server. Since nonce values expire after 24 hours at the most, cached pages that contain nonces stop working if the page is not refreshed during that time.

This is a serious limitation of the nonce mechanism. Sorry I don't have a better idea, but I'm hoping that others will put their heads together and come up with one, because there are MANY people discussing this on the web.

Change History (1)

#1 @peterwilsoncc
3 years ago

  • Version 5.7.2 deleted

This seems like a combination of issues that are outside of WordPress's control:

  • the caching plugin is caching for too long or caching pages/objects for logged in users (thus causing an incorrect nonce to be cached).
  • the contact form plugin is using nonces for logged out users: spam bots can request the page, get the nonce and submit the form which just increases the number of hits on the server.

For logged in users, WordPress sends HTTP headers designed to prevent caching.

WP could send a default 12 hour expiry header for logged out users, but as it doesn't include anything that expires after 12 hours I really think any plugin using nonces for logged out users would be better placed to send the header.

Note: See TracTickets for help on using tickets.