Can you have more than one nonce on a page?

I have a site with a page where there's one form in the sidebar, and one in the main body of the page. The sidebar comes first in the HTML.

Both forms have their own nonces (generated with wp_nonce_field) with different $action and $name parameters. The $referrer fields are on.

When I submit the second form, I get the usual "Are you sure you want to do this?" message.

If I remove the first form, things work correctly.

I added some debugging to wp_verify_nonce (var_dump statements and an exit;) and it's failing after a NULL $nonce and the $action of the first form (i.e. the one I haven't submitted.)

$_POST contains all of the second form, as you'd expect.

Any ideas?

Topic nonce forms Wordpress

Category Web

1
answered at

This turned out to be a pretty straightforward bug with my own code.

The problem was my first form was checking for submission with a simple:

if ( 'POST' == $_SERVER['REQUEST_METHOD'] ) {

so it was being triggered even when the other form was submitted, and my wp_verify_nonce() check would fail and then it would call wp_nonce_ays.

To fix, I added this to the conditional:

and isset( $_POST['sidebar_form_wpnonce'] )

So yes, you can have more than one form/nonce per page.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.