I have a strange issue that seems to affect IE but not Chrome (I haven’t tried any other browsers)
I’m generating a form with a nonce using the following code –
<?php wp_nonce_field('solution-reg') ?>
I currently have the code outputting the entire $_REQUEST array to the browser so I can see the nonce field is being submitted with the form data –
Array ( [_wpnonce] => a7250b35a1 [_wp_http_referer] => /path-removed-for-stackexchange/ [..more fields..] )
In my code I’m calling the verify function as follows
if( !wp_verify_nonce($_POST['_wpnonce'], 'solution-reg') ){
$this->renderer->addData('error', __('Invalid request', '...'));
return false;
}
In Chrome I cannot get this to fail and every attempt goes through to the next page fine. In IE the first request always gives me the ‘Invalid request’ error. If I hit the form submit button again it goes through fine.
The only other thing I can think may affect it is some javascript that checks any form field with a data-validate="1" attribute, triggered by the forms .submit handler, but as it doesn’t seem to be affecting the nonce value passed in the form I can’t see how that could affect the nonce verification.
I’m really struggling to see what IE could be doing differently that could affect whether the nonce verifies correctly.
Edit: (tl/dr I give up)
Logging calls to wp_create_nonce seem to suggest it never gets called if I load the page in IE. It does if I add some random query string vars. This suggests caching somewhere but I just don’t understand it. Headers show max-age 0, no-cache and immediate expiry. Total Cache plugin is enabled but can’t see it being that as chrome is fine. I’ve ended up disabling the nonce as I don’t really have any other answer.
1 Answer
You should not use nonce for non logged in users. You should not use nonces in any full or partial page caching scenario. Unlike the impression given many times, just sprinkling nonce here and there with no specific reason do not improve the sites security, and may cause actual problems for non logged in users.
