Is a global nonce a bad idea?
I’m trying to build a central system that will delegate certain functionality and serve me some nice things when dealing with AJAX calls. Basically, I want to dumb the whole charade of checking parameters, making sure they’re alright, making sure the user has the right capabilities, etc. into one single system.
There is a problem with nonces however. To my understanding and just reading through it, a nonce is supposed to simply protect against CSRF. It’s a simple mechanism of generating an unique string based on who the user is, the action & the time.
Problem is that, the nonce has to always be localized to the script that’s going to pass it as the security argument when making an AJAX call. This means that the back-end cannot know how the nonce is called beforehand.
If I do:
which is equivalent to
wp_localize_script with the
nonce as a parameter, the script will only know the generated string, not the name of the nonce which is
wpdocs-special-string, therefore, my system cannot do
What exactly would be wrong with generating a global nonce so that every AJAX request will be checked against that nonce?
>>> Share a link to this question, just copy and paste the code bellow on your web page <<<
Is a global nonce a bad idea?</a>