Question

wp_verify_nonce( string $nonce,  string|int $action = -1 )

Verify that correct nonce was used with time limit.

---

description

The user is given an amount of time to use the token, so therefore, since the UID and $action remain the same, the independent variable is the time.

---

参数

$nonce

(string) (Required) Nonce that was used in the form to verify

$action

(string|int) (Optional) Should give context to what is taking place and be the same when nonce was created.

Default value: -1

---

返回值

(false|int) False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

---

源代码

File: wp-includes/pluggable.php

function wp_verify_nonce( $nonce, $action = -1 ) {
	$nonce = (string) $nonce;
	$user = wp_get_current_user();
	$uid = (int) $user->ID;
	if ( ! $uid ) {
		/**
		 * Filters whether the user who generated the nonce is logged out.
		 *
		 * @since 3.5.0
		 *
		 * @param int    $uid    ID of the nonce-owning user.
		 * @param string $action The nonce action.
		 */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	if ( empty( $nonce ) ) {
		return false;
	}

	$token = wp_get_session_token();
	$i = wp_nonce_tick();

	// Nonce generated 0-12 hours ago
	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 1;
	}

	// Nonce generated 12-24 hours ago
	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 2;
	}

	/**
	 * Fires when nonce verification fails.
	 *
	 * @since 4.4.0
	 *
	 * @param string     $nonce  The invalid nonce.
	 * @param string|int $action The nonce action.
	 * @param WP_User    $user   The current user object.
	 * @param string     $token  The user's session token.
	 */
	do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );

	// Invalid nonce
	return false;
}

---

更新日志

Version	description
2.0.3	Introduced.

---

相关函数

Uses

• wp-includes/pluggable.php: wp_verify_nonce_failed
• wp-includes/user.php: wp_get_session_token()
• wp-includes/compat.php: hash_equals()
• wp-includes/pluggable.php: wp_nonce_tick()
• wp-includes/pluggable.php: wp_hash()
• wp-includes/pluggable.php: nonce_user_logged_out
• wp-includes/pluggable.php: wp_get_current_user()
• wp-includes/plugin.php: apply_filters()
• wp-includes/plugin.php: do_action()
Show 4 more uses Hide more uses

---

Used By

• wp-includes/rest-api.php: rest_cookie_check_errors()
• wp-includes/comment.php: wp_handle_comment_submission()
• wp-admin/includes/class-wp-press-this.php: WP_Press_This::add_category()
• wp-admin/includes/class-wp-press-this.php: WP_Press_This::merge_or_fetch_data()
• wp-admin/includes/class-wp-press-this.php: WP_Press_This::save_post()
• wp-admin/includes/ajax-actions.php: wp_ajax_destroy_sessions()
• wp-admin/includes/class-wp-plugin-install-list-table.php: WP_Plugin_Install_List_Table::prepare_items()
• wp-admin/includes/post.php: wp_autosave()
• wp-admin/includes/ajax-actions.php: wp_ajax_heartbeat()
• wp-admin/includes/file.php: request_filesystem_credentials()
• wp-admin/custom-header.php: Custom_Image_Header::step()
• wp-includes/pluggable.php: check_admin_referer()
• wp-includes/pluggable.php: check_ajax_referer()
• wp-includes/canonical.php: redirect_canonical()
• wp-includes/revision.php: _show_post_preview()
Show 10 more used by Hide more used by

---

User Contributed Notes

1. Skip to note content You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note Contributed by Codex

   Example
   Verify an nonce created with wp_create_nonce():

   
   <?php
   // Step A: Create an nonce, and add it as a query var in a link to perform an action.
   $nonce = wp_create_nonce( 'my-nonce' );
   echo "<a href='myplugin.php?_wpnonce={$nonce}'>" . __( 'Save Something', 'textdomain' ) . "</a>";
   ?>
   

   
   // Step B: In our file that handles the request, verify the nonce.
   $nonce = $_REQUEST['_wpnonce'];
   if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) {
   	die( __( 'Security check', 'textdomain' ) ); 
   } else {
   	// Do stuff here.
   }
   

   You may also decide to take different actions based on the age of the nonce:

   
   $nonce = wp_verify_nonce( $nonce, 'my-nonce' );
   switch ( $nonce ) {
   	case 1:
   		echo 'Nonce is less than 12 hours old';
   		break;
   	case 2:
   		echo 'Nonce is between 12 and 24 hours old';
   		break;
   	default:
   		exit( 'Nonce is invalid' );
   }