In our project we allow users to buy a coupon ( WooCommerce product ) for some service. We save every coupon as a custom post type with all the customer data inserted during purchase.
We then via email send a link to download the coupon in PDF. We use WooCommerce PDF Invoices & Packing Slips plugin for generating PDFs and links are generated in this manner:
$url = wp_nonce_url( admin_url( 'admin-ajax.php?action=generate_wpo_wcpdf&template_type=Coupon-PDF&order_id=' . $order->id ), 'generate_wpo_wcpdf' );
The problem is obviously the lifetime of nonce. We would need to link to be active at least one year, meaning that we should set the nonce to 2 years. I did quite some research but could not find proper information.
Question is: what is the maximum lifetime for nonce?
Additionally: It would be great it somebody shared their experiences with extending nonce lifetime by a lot, like in this case.
In our project we allow users to buy a coupon ( WooCommerce product ) for some service. We save every coupon as a custom post type with all the customer data inserted during purchase.
We then via email send a link to download the coupon in PDF. We use WooCommerce PDF Invoices & Packing Slips plugin for generating PDFs and links are generated in this manner:
$url = wp_nonce_url( admin_url( 'admin-ajax.php?action=generate_wpo_wcpdf&template_type=Coupon-PDF&order_id=' . $order->id ), 'generate_wpo_wcpdf' );
The problem is obviously the lifetime of nonce. We would need to link to be active at least one year, meaning that we should set the nonce to 2 years. I did quite some research but could not find proper information.
Question is: what is the maximum lifetime for nonce?
Additionally: It would be great it somebody shared their experiences with extending nonce lifetime by a lot, like in this case.
Share Improve this question edited Aug 30, 2016 at 9:55 Josip Ivic 1251 silver badge20 bronze badges asked Aug 30, 2016 at 9:19 DomasDomas 1231 silver badge6 bronze badges 2- "We save every coupon as a custom post type with all the customer data inserted during purchase." - given this, why even bother with a nuclear nonce? Just run a routine every day that goes through the active posts and turns any off that are expired. – C C Commented Aug 30, 2016 at 13:41
- You can roll your own nonce and set the time to whatever you want - wordpress.stackexchange/a/212316/84219 – jgraup Commented Aug 30, 2016 at 19:53
1 Answer
Reset to default 2As time varies, WordPress needs to allow for a nonce generated at 10:01 AM to be valid at 10:02 AM. It does this by using a time “tick” instead of the actual time, which is generated in two steps:
- First divide the lifespan of a nonce, in seconds, by two
- Divide the Unix timestamp by the above value, and round it up using ceil()
By default, the lifespan is 86400 seconds, or 24 hours (and can be adjusted with the nonce_life filter). Half this, 12 hours, is 43200.
Nonce time caveat Based on a 24-hour lifespan, a “tick” as calculated above is the same for each 12-hour span of a day. At 07:45 AM the “tick” is the same as 9:30 AM and 11:59 AM. But it will be one less than a “tick” created at 12:01 PM (a new 12-hour span within the day) or 15:30 PM.
Because of this, a WordPress nonce is not valid for exactly 24-hours from the moment that it was created, but up to 24 hours, depending how far into a 12-hour period a nonce was created.
Further reading: https://medium/myatus/wordpress-caching-and-nonce-lifespan-bb357d984da9