From what I have gathered, once a nonce is generated it is valid for reuse for the next 48 hours.
Is it safe to code with this in mind? I’m writing a plugin that does a bit of toing and froing with the client via AJAX and want to know if I should just generate a nonce when the page loads and use that for all communication or generate a new one for every request and include it in the response.
1, the nonce lifetime is about 24 hours by default actually. take a look at wp_verify_nonce function.
To be more accurate, the lifetime is controlled by filter
2, if the lifetime value makes you doubt if it is “an implementation side-effect”, you may want to
add_filter('nonce_life',create_function('$v', 'return 60*5;'));to shorten the lifetime to 5 minutes in my example.3, if you’re concerned about the security of your plugin, you should use csrf token instead.
WordPress nonces are not use-once. You can reuse the nonce as often as you like until it expires.