Update nonces page to explain using nonce_user_logged_out

[htdat]

Issue Description

Explaining that if just using WP core, nonces for all guest users are the same. That is, using nonces for guests by default will not yield any benefit at all in terms of security.

If plugins/themes want to protect their functionality from CSRF attacks for guests (non logged-in users), they would add their own filters for this nonce_user_logged_out hook (added in 2012). A prominent example is in the WooCommerce plugin with its own filter.

URL of the Page with the Issue

https://developer.wordpress.org/apis/security/nonces/

Section of Page with the issue

https://developer.wordpress.org/apis/security/nonces/#why-use-a-nonce
https://developer.wordpress.org/apis/security/nonces/#creating-a-nonce

Why is this a problem?

See my issue description.

Suggested Fix

See my issue description.

[htdat]

👋 I am happy to get assigned and work on this issue. But I am not sure how I can send a diff or draft for review? Any pointer is hugely appreciated.

[github-actions]

Heads up @zzap - the "apis" label was applied to this issue.

[stevenlinx]

@htdat
I've assigned the ticket to you.

All you need to do is to propose your changes as a comment such as the following:

section of the page:
[section]

original text:
[original text]

revised text:
[proposed text]

[htdat]

@stevenlinx - Thanks a lot. Will do.

[htdat]

@stevenlinx - thank you for your patience. Here is what I'd like to propose:

new section of the page:

• Name: Customize nonces for guests (non logged-in users)
• Ideally this would be right after https://developer.wordpress.org/apis/security/nonces/#creating-a-nonce as this section also mentions about logging out users.

text for this new section

WordPress core, by default, generates the same nonce for guests as they have the same user ID (value 0). That is, it does not prevent guests from CSRF attacks. To enhance this security aspect for critical actions, you can develop a session mechanism for your guests, and hook to the nonce_user_logged_out filter for replacing the user ID value 0 with a random ID from the session mechanism. An example can be found on plugin WooCommerce.

text for this new section (revised after feedback #876 (comment))

WordPress core, by default, generates the same nonce for guests as they have the same user ID (value 0). That is, it does not prevent guests from CSRF attacks. To enhance this security aspect for critical actions, you can develop a session mechanism for your guests, and hook to the nonce_user_logged_out filter for replacing the user ID value 0 with another random ID from the session mechanism.

[stevenlinx]

Thank you for the reply.

An example can be found on plugin WooCommerce.

The above part violates External Linking Policy:
https://make.wordpress.org/docs/handbook/documentation-team-handbook/external-linking-policy/
"No plugins/themes/services/hosting etc. will be promoted or recommended. In HelpHub/DevHub, we document only what’s in Core or will be in Core."

I wonder if you can provide an example code that's more vanilla and can be applied more universally.

Thanks.

[htdat]

@stevenlinx - thanks for the feedback.

I wonder if you can provide an example code that's more vanilla and can be applied more universally.

I am afraid that it's not possible as building a session mechanism is a non-trivial task. Taking into account your feedback, I've removed the mention of WooCommerce and its link, and updated a bit the formating. You can see it in the new (last) heading in my previous comment #876 (comment).

[stevenlinx]

I've made the revision.

[htdat]

Thank you. LGTM! What should I do next?

[stevenlinx]

1.)

What should I do next?

Nothing.

2.)
I'll close the ticket.

[haszari]

Related, the nonce_user_logged_out page has no explanation / info on it – just raw signature. Would be great to clarify things like:

• What the return value is. "Filters whether" is not clear to me, spelling this out in plain language would likely help many folks understand.
• How it's typically used. I suspect there's a best practice code pattern combining generating a nonce and then later checking it that uses nonce_user_logged_out. Can we put that pattern on the page, so unfamiliar developers don't have to rediscover this info independently (or rely on thousands of highly SEOd third party WordPress howto sites).