Nonces and WordPress
What is all this Nonce-sense? - Asymptomatic gives us a quick introduction on nonces.
Nonces alone sound very stupid to me. Instead of having implemented nonces alone, what the WP team should have been doing all along is obvious: every action that is not idempotent should be done through POST. Technically, it’s quite simple. Programmatically, it’s harder to do than GETs. But surely coding GETs + nonces must be much harder than simply coding POSTs.
No one is discussing how useful nonces are. They are useful. But in the context of the greater picture, they’re used to avoid WP admins from being tricked — which is exactly why POSTs should be used as well. Sure, POSTs alone don’t buy us a whole lotta security. But they surely do buy us some.
(Please don’t tell me I haven’t read the whole thread. The fact that nonces were introduced does not contradict one iota the fact that POSTs should be used for destructive operations, and that’s it.)
Update: to visitors from the #wordpress channel: I updated the article, correcting statements of fact. I’m very glad to see that you’re receptive to the POST idea. It’s no surprise that it has been floated before as an issue.
June 2nd, 2006 at 13:44
Please don’t make throwaway dismissals of WordPress policy without first informing yourself. Had you actually read the wp-hackers discussion on this, you’d have come across emails like one I sent:
http://comox.textdrive.com/pipermail/wp-hackers/2006-April/005980.html
I’ll leave you with that thought.
June 2nd, 2006 at 13:49
ringmaster on #wordpress linked the channel to your site, which is how I found you.
The GET/POST stuff will be cleaned up over time, especially if people with the necessary programmming skills and technical knowledge have time and effort to donate to the project, which is heartily encouraged by the core developers.
Nonces solve a more fundamental problem than the rather odd battle between GET and POST for idempotent actions. Nonces create a stronger cause-and-effect link between the page delivered and the action generated, discouraging and perhaps even negating the possibility of some computer-based attacks on your blog via your WordPress login cookies, especially if HTTP referer checks have been disabled.
Pity about the choice of name. http://urbandictionary.com/nonce
June 2nd, 2006 at 13:51
Thanks for your contribution, David.
But I’m still convinced that nonces should have been introduced with the corresponding move to POSTs. As you can see, rather than disagreeing, we agree on the basic issues.
June 2nd, 2006 at 13:52
Truly Valid. Very nice.
June 2nd, 2006 at 13:54
Hope you didn’t catch the page in an invalid state. Been editing and “Saving and continuing” just right now.
To everyone in this post: thanks for your contributions and comments.
June 2nd, 2006 at 13:55
BTW, which IRC server is #wordpress in?
June 2nd, 2006 at 14:02
For the record, I’ll take back my first commen, now you’ve amended your post:
“Instead of implementing nonces” -> “Instead of implmenting nonces alone”
I’m in accord with the latter.
June 2nd, 2006 at 14:04
It’s okay, David. You were right all along. Thanks for the swift heads-up — you made me realize my mistake early enough.
June 2nd, 2006 at 16:27
I tend to check validity once or twince when invited to do so by such quality statements as “Valid XHTML”. Truly caught my attention.
The page validated. I’m looking at the plugin.