Is it safe to assume that a nonce may be validated more than once?

From what I have gathered, once a nonce is generated it is valid for reuse for the next 48 hours.

Is it safe to code with this in mind? I’m writing a plugin that does a bit of toing and froing with the client via AJAX and want to know if I should just generate a nonce when the page loads and use that for all communication or generate a new one for every request and include it in the response.

Related posts

Leave a Reply

2 comments

  1. 1, the nonce lifetime is about 24 hours by default actually. take a look at wp_verify_nonce function.

    To be more accurate, the lifetime is controlled by filter

    apply_filters( 'nonce_life', DAY_IN_SECONDS );
    

    2, if the lifetime value makes you doubt if it is “an implementation side-effect”, you may want to add_filter('nonce_life',create_function('$v', 'return 60*5;')); to shorten the lifetime to 5 minutes in my example.

    3, if you’re concerned about the security of your plugin, you should use csrf token instead.