Cannot fill forms on cached pages due to nonce verification

Nonce is verified for logged-in users only; please look at the relevant code.

By default, all page caching plugins do not cache logged-in users. If you are doing so, it is a mistake – many WordPress things won’t work with that approach.

In any case, you should set the nonce lifetime two times longer than the cache lifespan. You can increase nonce lifetime via WordPress hooks. Or, what is better, decrease the page caching time. The default nonce lifespan is 1 day, split equally by 2 ticks. The cache time must be less than 1 tick, i.e., less than 12 hours.

For more details, please read a similar discussion on our GitHub.

Hello, and thank you for your response. I’ve reviewed the GitHub discussion you referenced and have noticed that the situation described there aligns with what I’ve observed. Your plugin checks the nonce exclusively for logged-in users, yet it appends the nonce to Contact Form 7 for all users, regardless of whether they are logged in or not. Consequently, the function rest_cookie_check_errors verifies the nonce on REST API calls for guest users as well. Therefore, it’s not entirely accurate to state that “Nonce is verified for logged-in users only” since this applies specifically to your plugin’s functionality.

Nonetheless, I appreciate the detailed explanation provided in the discussion, and we’ll consider it further to develop a potential solution on our end.

May I also propose the addition of a constant within the plugin settings? This would grant developers the flexibility to choose whether to disable the nonce for guest users.

Thank you for considering my suggestion.

Yes, you are right – the WP core checked the nonce for not logged-in users with the CF7 form.

I have added a fix for CF7. It will be released in v4.0.0 of the plugin at the beginning of April.

Thank you! We really appreciate the support and the quick fix for CF7. Looking forward to v4.0.0!