LiteSpeed Cache Issue

Hi @mojamba,

You can change the expiration time of your nonces via the nonce_life filter hook as mentioned here.

Thanks. I saw that in my research but was hoping to do it for only your plugin. I am guessing it is an all or nothing thing?

Yep, it’s all or nothing. Nonces are a WordPress thing, not something controlled/created by the plugin. You can read more about it here if you’re feeling curious: WordPress Nonces.

Hmmm, that’s interesting reading. Two questions come to mind:

(1) In talking about lifetime it mentions using “a system with two ticks (half of the lifetime) and validates nonces from the current tick and the last tick.” If I read that correctly, to be certain of getting a nonce lifetime of one week (the default LiteSpeed Cache TTL) I would actually need to specify a lifetime of two weeks. Does that sound correct to you?

(2) While the entire discussion of nonces in that link is interesting and makes sense in context, I am failing to see why you need to use a nonce for WPP. Or, at least, why you need to use one for the data collection. Again, maybe I am misunderstanding something, but what’s the worst that would happen if you didn’t use a nonce? Someone might maliciously cause page views to be higher than reality? That doesn’t seem like a thing many would bother trying to do. Or am I missing something big?

Assuming I am missing some important reason for you to use nonces, I read this on that page also:

“When a nonce is valid, the functions that validate nonces return the current tick number, 1 or 2. You could use this information, for example, to refresh nonces that are in their second tick so that they do not expire.”

Is that something you could use on your end to ensure that you are able to use nonces but effectively have them not expire? If so, would that be an acceptable compromise?

(1) In talking about lifetime it mentions using “a system with two ticks (half of the lifetime) and validates nonces from the current tick and the last tick.” If I read that correctly, to be certain of getting a nonce lifetime of one week (the default LiteSpeed Cache TTL) I would actually need to specify a lifetime of two weeks. Does that sound correct to you?

I think it’s the other way around: WordPress will check the validity of the nonce two times within the lifetime of the nonce.

From the documentation:

add_filter( 'nonce_life', function () { return 4 * HOUR_IN_SECONDS; } );

(…) The example above will give you nonces that are valid for 2-4 hours.

(2) While the entire discussion of nonces in that link is interesting and makes sense in context, I am failing to see why you need to use a nonce for WPP. Or, at least, why you need to use one for the data collection.

For two reasons:

1. To prevent the misuse of WPP’s REST API endpoints, especially when inserting data into the database; and more importantly
2. Because WordPress actually enforces the usage of nonces when sending a POST request to the REST API, otherwise the REST API will reject the request. Even if I didn’t care about security (#1), WordPress would still make sure that the request originated from a valid source before processing it.

“When a nonce is valid, the functions that validate nonces return the current tick number, 1 or 2. You could use this information, for example, to refresh nonces that are in their second tick so that they do not expire.”

Is that something you could use on your end to ensure that you are able to use nonces but effectively have them not expire? If so, would that be an acceptable compromise?

In scenarios where the developer has control over the nonce validation process then yeah that probably wouldn’t be a problem. However, I’m not sure whether that’s possible in this context: it’s the REST API -and not WPP- that validates the nonce whenever it receives a POST request. If it’s valid then it routes the request to WPP’s endpoint so it can do its thing, otherwise -as already pointed out- the API will reject the request and it will never reach WPP’s callbacks.

I’ll look into this but I wouldn’t hold my breath as this might lead nowhere. If on the other hand I figure out a way to do it then I’ll gladly implement it: compatibility with caching plugins would be a lot better and I’d get a lot less support requests related to this kind of issues ??

For the time being your options are to either extend the lifetime of your nonces or to reduce the lifetime of your site’s cache to make sure that your nonces don’t expire before your site’s cache does.

Thanks for taking the time to give a detailed answer. It would be great if you are able to find a way to do that for the future, but I see your point about it not being likely.

I still think my interpretation is correct about the length though. If a 4 hour nonce setting is good for 2-4 hours, then you cannot guarantee it will last for 4 hours (could be just 2, or more likely, somewhere between 2 and 4). So, to guarantee 4 you would need to set for 8, achieving anywhere from 4-8 hours of life. So, in my case, to be sure I get a lifetime of at least the 1 week TTL of LS Cache, I need to set it for 2 weeks. Isn’t that right?

Anyway, I will set the nonce filter (to two weeks for now to be safe) and see how things go. I’ll report back when I know more.

I have made the change and am waiting to see. But, I have also learned that LS Cache has an ESI feature than can block caching of nonces. I’m not sure which solution would be better (from both security and performance perspective) but I’d like to try both. So, what is the name of the nonce I should add to that ESI setting?

According to the documentation it’s wp_rest.

Sorry to take so long to report back. I can confirm that using wp_rest as an ESI nonce for LiteSpeed Cache does seem to work.

Awesome, thanks for the update @mojamba. Hopefully this will help future readers having similar issues.