Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Denis Goncharenko2019-03-04 10:34:43
Information Security
Denis Goncharenko, 2019-03-04 10:34:43

What is the meaning of wp_nonce?

I understand how wp_nonce works, when submitting a form, a token is generated based on some variables:

substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 )

Then, after submitting the form, it is checked by the server:
hash_equals( $expected, $nonce );
But damn it, what's the point? If we can look at the token generated in the form and submit it along with our "left" form and data? In theory, these tokens should be one-time, in WordPress, as far as I understood from the code, they are not one-time, but simply valid for some time. But even if you make them disposable, you can just open the form, see the token, not send the original form, but send the one you need, with the current token, so it is used only once. I do not understand something?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
A
Artem Matyashov2019-06-26 12:05:08
How to hide file server behind VPN? 1Reply
I
Ivan Filatov2015-02-03 11:28:10
Web service privacy: how to prove its security? Open / spread the source code? And does it need to be done? 1Reply
N
Ninighe2017-02-04 23:24:20
Can the site itself hide information from the provider? 1Reply
2
2xx322017-02-06 15:05:28
VeraCrypt and BitLocker encryption at the same time, is it possible? 4Reply
S
Shimpanze2019-07-05 08:28:39
In order to secure your site, is it enough to convert three characters: &, < and >? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question