Best settings for avoiding cached nonce issues

  • Resolved jamieburchell

    (@jamieburchell)


    3 weeks, 5 days ago

    I recently came up against an issue where a nonce stored in a cached HTML page had expired and caused a 403 at admin-ajax.php.

    I now realise that my pages (Disk: Enhanced) need to expire before any nonce does. However that leads me to what settings do I need to best handle this?

    I think that setting the “Maximum lifetime of cache objects” under the Page cache settings needs to change, but that alone can’t be enough since the HTML pages will persist past this value until the garbage collection runs. Is that correct? So I’m thinking that the garbage collection interval needs to be adjusted too? I’m assuming the garbage collection removes expired files and doesn’t just delete _old.html files?

    I also considered just excluding the pages that I know had nonces in the HTML (in this case a Gravity Form with Stripe payment) but looking at the HTML I see all pages on my sites have nonces for various things (Elementor outputs them). So realistically this issue could happen anywhere.

    I’d really appreciate a hand identifying the values that need to change and what to.

    What I have implemented now, knowing that a nonce can live between 12-24 hours is a expiry of 36,000 (10 hours) with garbage collection 3,600 (1 hour) with a real cron running every 15 minutes. Does that seem reasonable to mitigate the issue or should I be concerned with anything else?

    • This topic was modified 3 weeks, 5 days ago by jamieburchell. Reason: Added current settings to mitigate issue
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @jamieburchell

    Thank you for reaching out adn I am happy to help!
    The Maximum lifetime of cache objects should be the same as the garbage collection interval. The nonce is valid by default for 12hrs however, it can be changed in the development of specific things. It also depends on what is it used for.
    So instead of using 1 hour, you can set everything to a higher time frame but lower than 12 hours, so for example 10 hours or 11

    We will be adding some new options in the W3 Total Cache where you can specify the cache purge at a specific time and also some other options for more persistent caching.

    I hope this helps!

    Thanks!

    Thread Starter jamieburchell

    (@jamieburchell)

    Surely the garbage collection needs to be more frequent than the object expiry because not all objects will expire at the same time? It could take up to an hour to remove an expired page from the disk cache, otherwise it would still get served.

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @jamieburchell

    Thank you for your feedback.
    GC interval is for the expired cache. Yes, the cache may not expire att the same time, depending on when it was created, so I am stating the perfect clear the cache and visited the page moment.
    You can keep it to 3600s with real creon and this will delete the _old files

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.