I was trying to figure out where does WordPress store all the nonces. But wasn’t able to find a clue.
I first checked the database but wasn’t able to find any table named something like wp_nonces.
Where Are WordPress nonces Stored?
3 comments
Comments are closed.
I posted this question 11 months ago.
All the answers that I received were great and helped me a lot.
But none of them addressed the storage location of WordPress nonces. That’s what my real question was.
So, I dug up WordPress source code and was able to find the correct storage location of WordPress nonces.
They are stored in user sessions.
They are unique tokens stored in user’s session. Nonces have a defined life span.
If the user logs out of WordPress, the nonces will no longer be valid.
PS: I asked this question and now I am posting this answer to help others 🙂
Nonces are not stored directly anywhere, they are created using the function
wp_create_nonceand validated using thewp_verify_nonce.Those functions in turn use
wp_hashto hash together a lifespan, a custom string, the user_id and the session token stored in wp_usermeta with the keysession_tokens.Nonces are one-time tokens generated by WordPress to validate various requests, such as adding a comment, deleting a post, removing a user, etc.
They’re not stored anywhere, nor do they need to be.
Take the following example; when managing content in WordPress, the Bin link may look something like this:
http://www.example.com/wp-admin/post.php?post=1337&action=trash&_wpnonce=369f188682However, if you were to try and change the ID of the page/post in the URL to something else (see below), the nonce would no longer be valid, return a 403 error, and display: “Are you sure you want to do this?”
http://www.example.com/wp-admin/post.php?post=9100&action=trash&_wpnonce=369f188682Adding a hidden
_noncefield (take Contact Form 7 as a prime example) is generally good practice when implementing forms into WordPress, as it prevents Cross-Site Request Forgery (CSRF), etc.Resources: