wp_verify_nonce( string $nonce, string|int $action = -1 )
Verifies that a correct security nonce was used with time limit.
Description
A nonce is valid for 24 hours (by default).
Parameters
- $nonce
-
(string) (Required) Nonce value that was used for verification, usually via a form field.
- $action
-
(string|int) (Optional) Should give context to what is taking place and be the same when nonce was created.
Default value: -1
Return
(false|int) False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
Source
File: wp-includes/pluggable.php
function wp_verify_nonce( $nonce, $action = -1 ) {
$nonce = (string) $nonce;
$user = wp_get_current_user();
$uid = (int) $user->ID;
if ( ! $uid ) {
/**
* Filters whether the user who generated the nonce is logged out.
*
* @since 3.5.0
*
* @param int $uid ID of the nonce-owning user.
* @param string $action The nonce action.
*/
$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
}
if ( empty( $nonce ) ) {
return false;
}
$token = wp_get_session_token();
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 1;
}
// Nonce generated 12-24 hours ago
$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
if ( hash_equals( $expected, $nonce ) ) {
return 2;
}
/**
* Fires when nonce verification fails.
*
* @since 4.4.0
*
* @param string $nonce The invalid nonce.
* @param string|int $action The nonce action.
* @param WP_User $user The current user object.
* @param string $token The user's session token.
*/
do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );
// Invalid nonce
return false;
}
Changelog
| Version | Description |
|---|---|
| 2.0.3 | Introduced. |
Example
Verify an nonce created with
wp_create_nonce():<?php // Step A: Create an nonce, and add it as a query var in a link to perform an action. $nonce = wp_create_nonce( 'my-nonce' ); echo "<a href='myplugin.php?_wpnonce={$nonce}'>" . __( 'Save Something', 'textdomain' ) . "</a>"; ?>// Step B: In our file that handles the request, verify the nonce. $nonce = $_REQUEST['_wpnonce']; if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) { die( __( 'Security check', 'textdomain' ) ); } else { // Do stuff here. }You may also decide to take different actions based on the age of the nonce:
$nonce = wp_verify_nonce( $nonce, 'my-nonce' ); switch ( $nonce ) { case 1: echo 'Nonce is less than 12 hours old'; break; case 2: echo 'Nonce is between 12 and 24 hours old'; break; default: exit( 'Nonce is invalid' ); }