Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow Nonce caching #793
As of v160706, Comet Cache does not cache Nonce values (see What are WordPress nonces and why are they not cache-compatible?). However, after further discussion it was decided that Nonces could be cached safely, with a few caveats (see Caching Nonce values safely below). The decision to put in the work necessary to make caching Nonces possible came after lots of feedback from users frustrated that Comet Cache was not caching their pages due to a plugin/theme adding Nonce values to every page.
To improve the way Comet Cache handles WordPress Nonces, we need to do the following:
Caching Nonce values safely
From what I've gathered, the only real way to cache Nonce values safely is to do the following:
Points 1 and 3 we can control: We can only Nonce caching only for Logged-In Users and we can set an expiration date on cache files that contain Nonce values to 12 hours. Point 2 is somewhat out of our control, however that may not be a problem.
The WordPress Codex says to "always assume Nonces can be compromised" and that "Nonces should never be relied on for authentication or authorization, access control." If we go by that, then we don't need to worry about making sure that cache files are not publicly accessible just because they may contain a Nonce value. (I agree, however, that we should still try to make sure user-specific cache files are not publicly accessible, as those will probably contain user-specific information that a site owner would not want to expose.)
referenced this issue
Jul 7, 2016
@highacid Yes, you can implement this by following the steps outlined in What are WordPress nonces and why are they not cache-compatible? in the section for Allowing Nonce Caching and Logged-In Users (safer), and by setting Comet Cache → Plugin Options → Directory / Expiration Time to 12 hours.
Next Release Changelog:
@highacid We should have a Release Candidate available this weekend that will include these changes. Our target date for a General Availability release is Friday, November 18th.
If you're interested in testing a beta release of Comet Cache before the next version comes out, please sign-up to be a beta tester here or see Comet Cache → Plugin Updater → Beta Testers to automatically receive Release Candidate updates.
Comet Cache v161119 has been released and includes changes from this GitHub Issue. See the v161119 announcement for further details.
This issue will now be locked to further updates. If you have something to add related to this GitHub Issue, please open a new GitHub Issue and reference this one (#793).