wp_verify_nonce() – Verifies that a correct security nonce was used with time limit.

You appear to be a bot. Output may be restricted

Description

Verifies that a correct security nonce was used with time limit.

A nonce is valid for 24 hours (by default).

Usage

$int|false = wp_verify_nonce( $nonce, $action );

Parameters

$nonce
( string ) required – Nonce value that was used for verification, usually via a form field.
$action
( string|int ) optional default: -1 – Should give context to what is taking place and be the same when nonce was created.

Returns

int|false

  1. if the nonce is valid and generated between 0-12 hours ago,
  2. if the nonce is valid and generated between 12-24 hours ago.
  3. False if the nonce is invalid.

    Source

    File name: wordpress/wp-includes/pluggable.php
    Lines:

    1 to 50 of 50
      function wp_verify_nonce( $nonce, $action = -1 ) {
        $nonce = (string) $nonce;
        $user  = wp_get_current_user();
        $uid   = (int) $user->ID;
        if ( ! $uid ) {
          
    /**
     * Filters whether the user who generated the nonce is logged out.
     *
     * @since 3.5.0
     *
     * @param int    $uid    ID of the nonce-owning user.
     * @param string $action The nonce action.
     */
          $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
        }
    
        if ( empty( $nonce ) ) {
          return false;
        }
    
        $token = wp_get_session_token();
        $i     = wp_nonce_tick();
    
        // Nonce generated 0-12 hours ago.
        $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
        if ( hash_equals( $expected, $nonce ) ) {
          return 1;
        }
    
        // Nonce generated 12-24 hours ago.
        $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
        if ( hash_equals( $expected, $nonce ) ) {
          return 2;
        }
    
        
    /**
     * Fires when nonce verification fails.
     *
     * @since 4.4.0
     *
     * @param string     $nonce  The invalid nonce.
     * @param string|int $action The nonce action.
     * @param WP_User    $user   The current user object.
     * @param string     $token  The user's session token.
     */
        do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );
    
        // Invalid nonce.
        return false;
      }
     

     View on GitHub View on Trac