I have a form in my plugin similar to this:
<!-- Client form -->
<form>
<?php wp_nonce_field('my_form','_my_token'); ?>
<!-- Additional form fields -->
</form>
it generates those two fields:
<input type="hidden" id="_my_token" name="_my_token" value="abcdefghij" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/tools.php?page=my-plugin%2Fplugin.php" />
When I submit this form, I validate it like this:
//Server's side check
if(!wp_verify_nonce($_POST['_my_token'],'my_form')){
echo 'Invalid token! Expected token: '. wp_create_nonce( 'my_form');
exit;
}
The problem is that on the server, token never changes, it's always the same, and validation always fails in this step. If I log out from WordPress and then log in again, on the client token has changed, but on the server it's the same.
I've tested this locally and when I log in again it always changes token on both sides, but on my production environment it only changes on the client side.
It looks like it's cached somehow, but not sure what exactly could be. I've used WP Super Cache plugin, but it's now disabled and this issue persisted. I have multisite feature enabled on my production site, but I don't believe that's related to it. Any ideas?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire