security - Custom true nonce in conjunction with WP nonce in PWA

admin管理员组

文章数量:1122826

I'm looking for security advice on a nonce scheme I'm considering.

I have single page application with a WP backend. When the WP nonce expires, a page reload is necessary for the app to resume functioning. I am thinking I can avoid this by creating a table of true nonces. Here is the scheme.

The usual WP nonce is created and enqueued into the page. The front end script makes an ajax call for a true nonce, which can later authorize the one-time fetching of an updated WP nonce.

Currently I have a "heartbeat" type function that runs on an interval of about 3 seconds. When the script first starts, it records a start time. The heartbeat function checks current time against the start time and if it's been too long it pops up a notice and then forces a reload. Instead, I'd like the heartbeat to use a true nonce to fetch a good WP nonce along with another true nonce, then set the script start time to current.

This scheme means the app security token never gets stale, even if the user leaves the browser suspended for a month. It just tidies itself up in the first few seconds of waking up. Any failed fetch would trigger this check instantly. Unless connectivity was slow I wouldn't even alert the user.

Anyway, please let me know if I'm shooting myself in the foot, or defeating the whole purpose of the nonce. Thanks!

本文标签： securityCustom true nonce in conjunction with WP nonce in PWA