I’ve read that nonces are meant to be for one time use only, and after an ajax request, you should issue a new nonce so with the next ajax request, a new nonce would be sent to the server.
However, I just tested repeated ajax requests using the same nonce token, and for each request wp_verify_nonce returned true on the same token, meaning it could be reused dozens of times.
Is this intentional, or a bug?
Do I still need to issue new nonces with each ajax request, or can the same one continue to work for all future requests?
1
In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces.
Nonces are also hashed, and so the NONCE_SALT constant will be part of the resulting nonce as well. Changing the NONCE_SALT will invalidate all nonces immediately.
You should issue a new nonce every time. This is so that if the timing or methodology needs to be adjusted in the future, then your code will continue to handle it appropriately.
