wp_verify_nonce() – Verifies that a correct security nonce was used with time limit.
You appear to be a bot. Output may be restricted
Description
Verifies that a correct security nonce was used with time limit.
A nonce is valid for 24 hours (by default).
Usage
$int|false = wp_verify_nonce( $nonce, $action );
Parameters
- $nonce
- ( string ) required – Nonce value that was used for verification, usually via a form field.
- $action
- ( string|int ) optional default: -1 – Should give context to what is taking place and be the same when nonce was created.
Returns
int|false
- if the nonce is valid and generated between 0-12 hours ago,
- if the nonce is valid and generated between 12-24 hours ago.
False if the nonce is invalid.
Source
File name: wordpress/wp-includes/pluggable.php
Lines:
1 to 50 of 50
function wp_verify_nonce( $nonce, $action = -1 ) { $nonce = (string) $nonce; $user = wp_get_current_user(); $uid = (int) $user->ID; if ( ! $uid ) { /** * Filters whether the user who generated the nonce is logged out. * * @since 3.5.0 * * @param int $uid ID of the nonce-owning user. * @param string $action The nonce action. */ $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); } if ( empty( $nonce ) ) { return false; } $token = wp_get_session_token(); $i = wp_nonce_tick(); // Nonce generated 0-12 hours ago. $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); if ( hash_equals( $expected, $nonce ) ) { return 1; } // Nonce generated 12-24 hours ago. $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); if ( hash_equals( $expected, $nonce ) ) { return 2; } /** * Fires when nonce verification fails. * * @since 4.4.0 * * @param string $nonce The invalid nonce. * @param string|int $action The nonce action. * @param WP_User $user The current user object. * @param string $token The user's session token. */ do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token ); // Invalid nonce. return false; }