• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
WordPress core a2z

WordPress core a2z

WordPress core only

  • Home
  • Plugins
  • Blocks
  • Shortcodes
  • APIs
  • Classes
  • Files
  • Hooks
  • Sitemap
  • Blog
Home / APIs / wp_verify_nonce() – Verifies that a correct security nonce was used with time limit.

You appear to be a bot. Output may be restricted

Description

Verifies that a correct security nonce was used with time limit.

A nonce is valid for 24 hours (by default).

Usage

$int|false = wp_verify_nonce( $nonce, $action );

Parameters

$nonce
( string ) required – Nonce value that was used for verification, usually via a form field.
$action
( string|int ) optional default: -1 – Should give context to what is taking place and be the same when nonce was created.

Returns

int|false

  1. if the nonce is valid and generated between 0-12 hours ago,
  2. if the nonce is valid and generated between 12-24 hours ago.
  3. False if the nonce is invalid.

    Source

    File name: wordpress/wp-includes/pluggable.php
    Lines:

    1 to 50 of 50
      function wp_verify_nonce( $nonce, $action = -1 ) {
        $nonce = (string) $nonce;
        $user  = wp_get_current_user();
        $uid   = (int) $user->ID;
        if ( ! $uid ) {
          
    /**
     * Filters whether the user who generated the nonce is logged out.
     *
     * @since 3.5.0
     *
     * @param int    $uid    ID of the nonce-owning user.
     * @param string $action The nonce action.
     */
          $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
        }
    
        if ( empty( $nonce ) ) {
          return false;
        }
    
        $token = wp_get_session_token();
        $i     = wp_nonce_tick();
    
        // Nonce generated 0-12 hours ago.
        $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
        if ( hash_equals( $expected, $nonce ) ) {
          return 1;
        }
    
        // Nonce generated 12-24 hours ago.
        $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
        if ( hash_equals( $expected, $nonce ) ) {
          return 2;
        }
    
        
    /**
     * Fires when nonce verification fails.
     *
     * @since 4.4.0
     *
     * @param string     $nonce  The invalid nonce.
     * @param string|int $action The nonce action.
     * @param WP_User    $user   The current user object.
     * @param string     $token  The user's session token.
     */
        do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );
    
        // Invalid nonce.
        return false;
      }
     

     View on GitHub View on Trac

Published: 25th November 2019 | Last updated: 2nd April 2020

Primary Sidebar

Information

Function name: wp_verify_nonce
Plugin ref: WordPress
Version: 5.6
Sourcefile: wp-includes/pluggable.php
File ref: wp-includes/pluggable.php
Deprecated?: No
API Letters: N,V,W

Footer

WP-a2z
WordPress core a2z
WordPress core only
WordPress 5.6
WordPress a2z
WordPress core a2z
Genesis Theme Framework a2z
Jetpack a2z
WordPress develop tests
Easy Digital Downloads a2z
WooCommerce a2z
Yoast SEO a2z
WordPress Blocks

Site:  core.wp-a2z.org
© Copyright WP-a2z 2014-2021. All rights reserved.


Website designed and developed by Herb Miller
Proudly powered by WordPress and oik plugins

  • Home
  • Blog
  • Sitemap
  • Sites