WordPress at a glance

wp_verify_nonce() WP 1.0

Verify that correct nonce was used with time limit.

The user is given an amount of time to use the token, so therefore, since the UID and $action remain the same, the independent variable is the time.

This is a pluggable function, and it can be replaced from plugin. It means that this function is defined (works) only after all plugins are connected (included), but before this moment the function has not yet been defined... Therefore, you cannot call this and all functions depended on this function directly from a plugin code. It must be called via hook plugins_loaded or later, for example on hook init.

Function replacement (override) — in a plugin you can create a function with the same name, then it will replace this function.

Is the basis for: check_ajax_referer()

No Hooks.

Return

false/Int. False if the nonce is invalid, 1 if the nonce is valid and generated between
0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

Usage

wp_verify_nonce( $nonce, $action );
$nonce(string) (required)
Nonce that was used in the form to verify
$action(string/int)
Should give context to what is taking place and be the same when nonce was created.
Default: -1

Code of wp_verify_nonce: wp-includes/pluggable.php VER 5.0.1

<?php
function wp_verify_nonce( $nonce, $action = -1 ) {
	$nonce = (string) $nonce;
	$user = wp_get_current_user();
	$uid = (int) $user->ID;
	if ( ! $uid ) {
		/**
		 * Filters whether the user who generated the nonce is logged out.
		 *
		 * @since 3.5.0
		 *
		 * @param int    $uid    ID of the nonce-owning user.
		 * @param string $action The nonce action.
		 */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	if ( empty( $nonce ) ) {
		return false;
	}

	$token = wp_get_session_token();
	$i = wp_nonce_tick();

	// Nonce generated 0-12 hours ago
	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 1;
	}

	// Nonce generated 12-24 hours ago
	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 2;
	}

	/**
	 * Fires when nonce verification fails.
	 *
	 * @since 4.4.0
	 *
	 * @param string     $nonce  The invalid nonce.
	 * @param string|int $action The nonce action.
	 * @param WP_User    $user   The current user object.
	 * @param string     $token  The user's session token.
	 */
	do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );

	// Invalid nonce
	return false;
}

Related Functions

From tag: nonce (security protection defence)

More from tag: Site security (safety)

No comments
    Hello, !     Log In . Register