How to exclude nonce from being cached?

Thanks for responding. Reading the usage example, i presume that this applies to specific html elements. But how does this apply to nonces? Do i have to exclude the whole script from being cached? I tried:

add_filter("TOA_PLUGIN/nonce_scriptx", function ($_) 
// put the data in cache to be sure to return the same value on all calls
if (!isset($GLOBALS["TOA_PLUGIN"]["nonce_scriptx"]))

$GLOBALS["TOA_PLUGIN"]["nonce_scriptx"] = bin2hex(random_bytes(12));


echo apply_filters( 'litespeed_esi_url', 'my_esi_block', 'Custom ESI block' );
return $GLOBALS["TOA_PLUGIN"]["nonce_scriptx"];

);

and then the function the action hook as described. Result: an error is issued. Obviously this does not really apply.

  • This reply was modified 4 hours, 6 minutes ago by timholz.

Plugin Support
qtwrk

(@qtwrk)

are you creating your own custom nonce system?

why not use the wordpress’s own wp_create_nonce() ? we have native ESI support for WP nonce

Yes, i am. I tried wp_create_nonce() and found out that it is the same nonce value throughout the whole website. It never changes and it is, as i learned, not cryptographically random, too.

I noticed that Convert custom nonce to ESI exists. I’ve even tried it. But without any success. The example is not very clear. For instance:

Then you need to call the API somewhere before that line, like so:

What does that mean? Somewhere before? Within the function that has wp_create_nonce() or outside?

  • This reply was modified 3 hours, 13 minutes ago by timholz.
  • This reply was modified 3 hours, 12 minutes ago by timholz. Reason: spelling

Plugin Support
qtwrk

(@qtwrk)

well , that’s how wp made its nonce

ref: https://developer.projectdmc.org/apis/security/nonces/

back to topic

imagine you have a code like

...
wp_create_nonce('my-nonce-name');
...

then you change it to

...
do_action( 'litespeed_nonce', 'my-nonce-name' );
wp_create_nonce('my-nonce-name');
...

or you can add some check , to see if LSCWP or ESI is enabled

...
if (!defined('LSCWP_V') || ! apply_filters( 'litespeed_esi_status', false ) )
do_action('litespeed_nonce', 'my-nonce-name');

wp_create_nonce('my-nonce-name');
...

or even simpler , just go to LiteSpeed Cache -> Cache -> ESI -> enable ESI , add my-nonce-name into ESI nonce list , save and purge.

OK. This is my test:

add_action( 'run_custom_nonce_value', 'custom_nonce_value' );
function custom_nonce_value()
do_action('litespeed_nonce', 'GurkensalatmitSauce');
$created_nonce = wp_create_nonce('GurkensalatmitSauce');
echo 'nonce_test: '. $created_nonce;
return $created_nonce;

Esi enabled and ‘GurkensalatmitSauce’ added to the list. The echo is:

nonce_test: nonce_test: [an error occurred while processing this directive] 5d557226b9 

In the console i get various errors that scripts and inline scripts are rejected. With ESI disabled no errors at all, but everywhere the same nonce.

  • This reply was modified 2 hours, 46 minutes ago by timholz.
  • This reply was modified 2 hours, 35 minutes ago by timholz.

And another test with esi enabled and 'my-nonce-name' added to esi-nonces field:

do_action('litespeed_nonce', 'my-nonce-name');
$GLOBALS['testnonce'] = wp_create_nonce('my-nonce-name'); //to retrieve value in various places

Shows the same nonce throughout the whole site. do_action('litespeed_nonce','my-nonce-name'); does not do anything. I conclude that this is good for nothing. The rest of litespeed works well though.

  • This reply was modified 23 seconds ago by timholz.

 

This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer