Where Are WordPress nonces Stored?

后端 未结 3 854
闹比i
闹比i 2021-02-19 18:03

I was trying to figure out where does WordPress store all the nonces. But wasn\'t able to find a clue. I first checked the database but wasn\'t able to find any table named some

3条回答
  •  伪装坚强ぢ
    2021-02-19 18:33

    Nonces are one-time tokens generated by WordPress to validate various requests, such as adding a comment, deleting a post, removing a user, etc.

    They're not stored anywhere, nor do they need to be.

    Take the following example; when managing content in WordPress, the Bin link may look something like this:

    http://www.example.com/wp-admin/post.php?post=1337&action=trash&_wpnonce=369f188682

    However, if you were to try and change the ID of the page/post in the URL to something else (see below), the nonce would no longer be valid, return a 403 error, and display: "Are you sure you want to do this?"

    http://www.example.com/wp-admin/post.php?post=9100&action=trash&_wpnonce=369f188682

    Adding a hidden _nonce field (take Contact Form 7 as a prime example) is generally good practice when implementing forms into WordPress, as it prevents Cross-Site Request Forgery (CSRF), etc.

    Resources:

    • WordPress Nonces
    • Nonce
    • Cross-Site Request Forgery

提交回复
热议问题