A 10 hour period for cache purging and nonce lifespan

  • Resolved Jack

    (@jack1132132)


    2 years ago

    Hello,

    I was using Disk: Enhanced as the method for the page caching, and after around 24 hours I was getting nonce invalid issues. I cleared the cache and it returned to normal.

    I’m assuming there might have been an issue where the cached page had expired nonces.

    To help at this not happening I’ve placed this code inside a custom plugin of mine:

    // Schedule the cache purge to run every 10 hours
add_action( 'wp', function() {
    if ( ! wp_next_scheduled( 'my_purge_w3tc_cache' ) ) {
        wp_schedule_event( time(), 'every_10_hours', 'my_purge_w3tc_cache' );
    }
} );

// Define the "every_10_hours" time interval
add_filter( 'cron_schedules', function( $schedules ) {
    $schedules['every_10_hours'] = array(
        'interval' => 36000, // 10 hours in seconds
        'display'  => __( 'Every 10 hours' ),
    );
    return $schedules;
} );

function my_purge_w3tc_cache() {
    if ( function_exists( 'w3tc_flush_all' ) ) {
        w3tc_flush_all();
    }
}

    The code creates a cron job to purge the cache every 10 hours.

    My question is, even using the regular cache lifespan built in the plugin, isn’t invalid nonces a matter of probability.

    Lets say a nonce lasts 24 hours, with my 10 hour interval this scenario could occur:

    Nonce |————————|————————|————————|
    Purge |———-|———-|———-|———-|———-|———-|———-|

    After the third purge, the cache will be left with the first generated nonce, but after less than 4 hours the nonce will no longer be valid and the cache will remain with the invalid nonce for another 6 hours or more.

    What is the solution to this?

    EDIT: Another option would be to purge the page and reload in case the user failed a nonce:

    function wp_verify_nonce_failed_clean_cache($nonce, $action, $user, $token){

    global $post;
    $current_page_id = $post->ID;

	if($current_page_id && !$user->ID){
		w3tc_flush_post( $current_page_id );
		wp_redirect( get_permalink() );
		exit;
	}

}
add_action( 'wp_verify_nonce_failed', 'wp_verify_nonce_failed_clean_cache', 10, 4 );

    Thank you.

    • This topic was modified 2 years ago by Jack.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @jack1132132

    Thank you for reaching out.

    The problem is with the nonce lifespan which is usually 12 hrs and the fact that the page is cached. Since W3 Total Cache does not have cache expiry, meaning if the page is cached it will remain cached until the cache is purged manually or defined in the Performance>Page Cache>Purge policy.
    There are a couple of things that you can do in this case.
    The first one is the same as I’ve shared in the previous answer and that is to set up a custom cron job on the server and call w3tc_flush_all(); every 12 hrs for example.
    The other thing that you can do is to set up a cache Preload in Performance>Page Cache>Cache Preload to Automatically prime the page cache. With this, you can manage Update interval: The number of seconds to wait before creating another set of cached pages.
    Also, there is an option Garbage collection interval: which If caching to disk, specifies how frequently expired cache data is removed. For busy sites, a lower value is best.

    To sum up, nonce and caching are not the best friends. but there are a couple of solutions as mentioned above that can work.
    I hope this helps and let me know if you have any other questions.

    Thanks!

    Thread Starter Jack

    (@jack1132132)

    Hello,

    yes I have a cron job that purges the cache every 10 hours, however doesn’t this leave it up to chance whether the cache contains the correct nonce.

    If I purge the cache every 10 hours and the lifespan of nonces are 12 hours, what if the cache is purged and the nonce expires 2 hours after for example, wouldn’t the cached page offer 8 hours of an invalid nonce?

    thank you

    Thread Starter Jack

    (@jack1132132)

    Hello,

    I’m reading the function that verified nonces and I’m noticed this part:

    	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 1;
	}

	// Nonce generated 12-24 hours ago.
	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 2;
	}

    It seems the function returns true (1 or 2) if the nonce is under 12h or under 24h old. Does the nonce get regenerated after 12 hours but remain valid for up to 24 hours? That would explain how purging the cache every 1-12 hours works.


    Thank you.

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @jack1132132

    This should not be the case. Have you tried matching the nonce lifetime??

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘A 10 hour period for cache purging and nonce lifespan’ is closed to new replies.

Tags