Nonces can be reused multiple times? Bug / Security issue?

All we need is an easy explanation of the problem, so here it is.

I’ve read that nonces are meant to be for one time use only, and after an ajax request, you should issue a new nonce so with the next ajax request, a new nonce would be sent to the server.

However, I just tested repeated ajax requests using the same nonce token, and for each request wp_verify_nonce returned true on the same token, meaning it could be reused dozens of times.

Is this intentional, or a bug?

Do I still need to issue new nonces with each ajax request, or can the same one continue to work for all future requests?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces.

Nonces are also hashed, and so the NONCE_SALT constant will be part of the resulting nonce as well. Changing the NONCE_SALT will invalidate all nonces immediately.

You should issue a new nonce every time. This is so that if the timing or methodology needs to be adjusted in the future, then your code will continue to handle it appropriately.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply