wp_verify_nonce( string $nonce, string|int $action = -1 )

Verifies that a correct security nonce was used with time limit.

Contents

Description Description

A nonce is valid for 24 hours (by default).

Parameters Parameters

$nonce

(string) (Required) Nonce value that was used for verification, usually via a form field.

$action

(string|int) (Optional) Should give context to what is taking place and be the same when nonce was created.

Default value: -1

Top ↑

Return Return

(int|false) 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.

Top ↑

Source Source

File: wp-includes/pluggable.php 

	function wp_verify_nonce( $nonce, $action = -1 ) {
		$nonce = (string) $nonce;
		$user  = wp_get_current_user();
		$uid   = (int) $user->ID;
		if ( ! $uid ) {
			/**
			 * Filters whether the user who generated the nonce is logged out.
			 *
			 * @since 3.5.0
			 *
			 * @param int    $uid    ID of the nonce-owning user.
			 * @param string $action The nonce action.
			 */
			$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
		}

		if ( empty( $nonce ) ) {
			return false;
		}

		$token = wp_get_session_token();
		$i     = wp_nonce_tick();

		// Nonce generated 0-12 hours ago.
		$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
		if ( hash_equals( $expected, $nonce ) ) {
			return 1;
		}

		// Nonce generated 12-24 hours ago.
		$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
		if ( hash_equals( $expected, $nonce ) ) {
			return 2;
		}

		/**
		 * Fires when nonce verification fails.
		 *
		 * @since 4.4.0
		 *
		 * @param string     $nonce  The invalid nonce.
		 * @param string|int $action The nonce action.
		 * @param WP_User    $user   The current user object.
		 * @param string     $token  The user's session token.
		 */
		do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );

		// Invalid nonce.
		return false;
	}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
2.0.3 Introduced.

Top ↑

Top ↑

Uses Uses

Uses
Uses Description
wp-includes/pluggable.php: wp_verify_nonce_failed

Fires when nonce verification fails.
wp-includes/user.php: wp_get_session_token()

Retrieve the current session token from the logged_in cookie.
wp-includes/compat.php: hash_equals()

Timing attack safe string comparison
wp-includes/pluggable.php: wp_nonce_tick()

Returns the time-dependent variable for nonce creation.
wp-includes/pluggable.php: wp_hash()

Get hash of given string.
wp-includes/pluggable.php: nonce_user_logged_out

Filters whether the user who generated the nonce is logged out.
wp-includes/pluggable.php: wp_get_current_user()

Retrieve the current user object.
wp-includes/plugin.php: apply_filters()

Calls the callback functions that have been added to a filter hook.
wp-includes/plugin.php: do_action()

Execute functions hooked on a specific action hook.
Show 4 more uses Hide more uses

Top ↑

Used By Used By

Used By
Used By Description
wp-includes/class-wp-recovery-mode.php: WP_Recovery_Mode::handle_exit_recovery_mode()

Handles a request to exit Recovery Mode.
wp-admin/includes/ajax-actions.php: wp_ajax_health_check_is_in_debug_mode()

Ajax handler for site health checks on debug mode.
wp-admin/includes/file.php: wp_edit_theme_plugin_file()

Attempt to edit a file for a theme or plugin.
wp-includes/rest-api.php: rest_cookie_check_errors()

Checks for errors when using cookie-based authentication.
wp-includes/comment.php: wp_handle_comment_submission()

Handles the submission of a comment, usually posted to wp-comments-post.php via a comment form.
wp-admin/includes/ajax-actions.php: wp_ajax_destroy_sessions()

Ajax handler for destroying multiple open sessions for a user.
wp-admin/includes/class-wp-plugin-install-list-table.php: WP_Plugin_Install_List_Table::prepare_items()
wp-admin/includes/post.php: wp_autosave()

Save a post submitted with XHR
wp-admin/includes/ajax-actions.php: wp_ajax_heartbeat()

Ajax handler for the Heartbeat API.
wp-admin/includes/file.php: request_filesystem_credentials()

Displays a form to the user to request for their FTP/SSH details in order to connect to the filesystem.
wp-admin/includes/class-custom-image-header.php: Custom_Image_Header::step()

Get the current step.
wp-includes/pluggable.php: check_admin_referer()

Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.
wp-includes/pluggable.php: check_ajax_referer()

Verifies the Ajax request to prevent processing requests external of the blog.
wp-includes/canonical.php: redirect_canonical()

Redirects incoming links to the proper URL based on the site url.
wp-includes/revision.php: _show_post_preview()

Filters the latest content for preview from the post autosave.
wp-includes/ms-functions.php: signup_nonce_check()

Process the signup nonce created in signup_nonce_fields().
Show 11 more used by Hide more used by

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note
    Contributed by Codex

    Example
    Verify an nonce created with wp_create_nonce():

    <?php
// Step A: Create an nonce, and add it as a query var in a link to perform an action.
$nonce = wp_create_nonce( 'my-nonce' );
echo "<a href='myplugin.php?_wpnonce={$nonce}'>" . __( 'Save Something', 'textdomain' ) . "</a>";
?>

    // Step B: In our file that handles the request, verify the nonce.
$nonce = $_REQUEST['_wpnonce'];
if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) {
	die( __( 'Security check', 'textdomain' ) ); 
} else {
	// Do stuff here.
}

    You may also decide to take different actions based on the age of the nonce:

    $nonce = wp_verify_nonce( $nonce, 'my-nonce' );
switch ( $nonce ) {
	case 1:
		echo 'Nonce is less than 12 hours old';
		break;
	case 2:
		echo 'Nonce is between 12 and 24 hours old';
		break;
	default:
		exit( 'Nonce is invalid' );
}

You must log in before being able to contribute a note or feedback.