-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update nonces page to explain using nonce_user_logged_out #876
Comments
👋 I am happy to get assigned and work on this issue. But I am not sure how I can send a diff or draft for review? Any pointer is hugely appreciated. |
Heads up @zzap - the "apis" label was applied to this issue. |
@htdat All you need to do is to propose your changes as a comment such as the following: section of the page: original text: revised text: |
@stevenlinx - Thanks a lot. Will do. |
@stevenlinx - thank you for your patience. Here is what I'd like to propose: new section of the page:
text for this new sectionWordPress core, by default, generates the same nonce for guests as they have the same user ID (value 0). That is, it does not prevent guests from CSRF attacks. To enhance this security aspect for critical actions, you can develop a session mechanism for your guests, and hook to the text for this new section (revised after feedback #876 (comment))WordPress core, by default, generates the same nonce for guests as they have the same user ID (value |
Thank you for the reply.
The above part violates External Linking Policy: I wonder if you can provide an example code that's more vanilla and can be applied more universally. Thanks. |
@stevenlinx - thanks for the feedback.
I am afraid that it's not possible as building a session mechanism is a non-trivial task. Taking into account your feedback, I've removed the mention of WooCommerce and its link, and updated a bit the formating. You can see it in the new (last) heading in my previous comment #876 (comment). |
I've made the revision. |
Thank you. LGTM! What should I do next? |
1.)
Nothing. 2.) |
Related, the
|
Issue Description
Explaining that if just using WP core, nonces for all guest users are the same. That is, using nonces for guests by default will not yield any benefit at all in terms of security.
If plugins/themes want to protect their functionality from CSRF attacks for guests (non logged-in users), they would add their own filters for this
nonce_user_logged_out
hook (added in 2012). A prominent example is in the WooCommerce plugin with its own filter.URL of the Page with the Issue
https://developer.wordpress.org/apis/security/nonces/
Section of Page with the issue
https://developer.wordpress.org/apis/security/nonces/#why-use-a-nonce
https://developer.wordpress.org/apis/security/nonces/#creating-a-nonce
Why is this a problem?
See my issue description.
Suggested Fix
See my issue description.
The text was updated successfully, but these errors were encountered: