wp_verify_nonce

Verify that correct nonce was used with time limit.

Description

(false|int) wp_verify_nonce( (string) $nonce, (int) $action = -1 ); 

The user is given an amount of time to use the token, so therefore, since the UID and $action remain the same, the independent variable is the time.

Returns (false|int)

False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

Parameters (2)

0. $nonce (string)
Nonce that was used in the form to verify
1. $action — Optional. (int) => -1
Should give context to what is taking place and be the same when nonce was created.

Usage

  1. if ( !function_exists( 'wp_verify_nonce' ) ) { 
  2. require_once ABSPATH . WPINC . '/pluggable.php'; 
  3.  
  4. // Nonce that was used in the form to verify 
  5. $nonce = ''; 
  6.  
  7. // Should give context to what is taking place and be the same when nonce was created. 
  8. $action = -1; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = wp_verify_nonce($nonce, $action); 
  12.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/pluggable.php  
  1. function wp_verify_nonce( $nonce, $action = -1 ) { 
  2. $nonce = (string) $nonce; 
  3. $user = wp_get_current_user(); 
  4. $uid = (int) $user->ID; 
  5. if ( ! $uid ) { 
  6. /** 
  7. * Filters whether the user who generated the nonce is logged out. 
  8. * @since 3.5.0 
  9. * @param int $uid ID of the nonce-owning user. 
  10. * @param string $action The nonce action. 
  11. */ 
  12. $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); 
  13.  
  14. if ( empty( $nonce ) ) { 
  15. return false; 
  16.  
  17. $token = wp_get_session_token(); 
  18. $i = wp_nonce_tick(); 
  19.  
  20. // Nonce generated 0-12 hours ago 
  21. $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); 
  22. if ( hash_equals( $expected, $nonce ) ) { 
  23. return 1; 
  24.  
  25. // Nonce generated 12-24 hours ago 
  26. $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); 
  27. if ( hash_equals( $expected, $nonce ) ) { 
  28. return 2; 
  29.  
  30. /** 
  31. * Fires when nonce verification fails. 
  32. * @since 4.4.0 
  33. * @param string $nonce The invalid nonce. 
  34. * @param string|int $action The nonce action. 
  35. * @param WP_User $user The current user object. 
  36. * @param string $token The user's session token. 
  37. */ 
  38. do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token ); 
  39.  
  40. // Invalid nonce 
  41. return false;