Can I use the same nonce for multiple requests on the same page?

3 Views

Or does this break the purpose of the nonce, which I admint I don’t quite understand it? 🙂

For example on two ajax requests that run on page load, or when something is clicked:

 $.ajax({
   type: 'post',
   url: 'admin-ajax.php',
   data: { action: 'foo',
           _ajax_nonce: '<?php echo $nonce; ?>' }
 });

 $.ajax({
   type: 'post',
   url: 'admin-ajax.php',
   data: { action: 'foo2',
           _ajax_nonce: '<?php echo $nonce; ?>' }
 });
Post Views: 3

Related posts

Leave a Reply

2 comments

  1. The WordPress nonce creation function is to be called only on the init hook:

    Use the init or any subsequent action to call this function. Calling
    it outside of an action can lead to troubles. See #14024 for details.

    Since the init hook “runs after WordPress has finished loading but before any headers are sent”, nonces are created on every full-page request (not ajax request).
    So, technically, you can use the same nonce on multiple requests, but you should make them unique on each request, as other answers have pointed out.

    To shed some more light about what nonces are:

    Nonces are sent on each Ajax request as a security token, to ensure the request was intended by the user.

  2. Yes, nonces are highly confusing. 🙂

    While the concept of nonce implies that it is only used once, WordPress does not enforce that and technically you can use nonce multiple times.

    However since nonce is used to verify intent (as in did you really mean to perform specific action) – different actions should have different nonces generated and checked.