I am trying to write a custom user registration plugin. The plugin has 5 basic functionalities
- Take form data and create a user using
wp_insert_iser - Once a user is created, update user meta for additional fields
- Send Email
- Send SMS
- Send to Whatsapp
To make the whole process faster I have created 5 ajax actions for the above 5 steps. Once the first step is completed I send success nonce for every action something like :
if ($user_id) // Successfully user is created
$data = [
'user_id' => $user_id,
'next_actions' = [
'update_meta_field' => wp_create_nonce($userid . 'update_meta_field')),
'send_sms' => wp_create_nonce($userid . 'send_sms')),
'send_mail' => wp_create_nonce($userid . 'send_email'),
'send_whatsapp' => wp_create_nonce($userid . 'send_whatsapp')
]];
wp_send_json_success($data);
Once the response has been received at the client side, 4 ajax actions are triggered on ajaxSuccess event and executed asynchronously. E.g
$document.ajaxSuccess(function( event, request, settings, response ) {
let next_actions = response.data.next_actions;
let user_id = response.data.user_id;
$.each(next_actions, function (action, nonce) {
$.ajax({
url: ajaxurl,
type: 'post',
dataType: 'json',
data:{
action: action,
nonce : nonce,
user_id: user_id,
},
success: function (response) {
console.log(response);
}
});
});
});
On server side I do something like :-
if( wp_verify_nonce( $_POST['nonce'], $_POST['user_id'] . $_POST['action'] ) ){
// Send mail or Update user fields or anything else
}
So my queries are
- Are there any security flaws in my approach?
- Is nonce sufficient for it or should I encrypt the response because I am exposing user_id or username to clients? Does WordPress provide any native encryption/decryption function or methods?
- I required to share some variables between 5 actions. I choose
set_transientto share form data across all the actions. Is it efficient? Or should I go forSESSION? I heard some hosting servers strip the session id from the header. Is it? Any alternative performance efficient way, please?