wpHakka – wp underground guerrilla

passport is replacing wp nonce

wpHakka.com.br - Metro Underground Framework for


wp nonce is an ancient wp attempt to provide some kind of security feeling to whom uses it … it doesn’t provide much …

who reads the docs and looks behind the scene will come to the same conclusion, at the end, it doesn’t do nothing else than verifying a token localized by the backend, specially when it comes to anonymous sessions …

it should provide CSRF(Cross-Site Request Forgery) and that might be possible for logged user sessions, but still is high risky because any slightly advanced hacker kid can read the nonce token in his browser debug window … and use it

hakka passport, as part of our Metro Framework, is different, thanks to the module identity of the backend scripts a clear caller identification can be performed without sending tokens over the wire, it just exist as soon as the module php script and its js script is loaded , the js is connected and automatically identified, so the ajax request arriving at the backend can be identified as secure, whether it is a logged session or an anonymous session

the decisive point here is, it does not have to be send to the backend by the browser as part of the URI, so at the backend, any attmpt using this URI sampling technique is dying already before getting anywhere

still we have to remind, it is not a security measure, it is a CSRF prevention measure for any kind of session and assures that the request really comes from a legit browser access

nevertheless, the backend has to check proper user authentication or capabilties, but that is another issue

hakka Passport does not use hooks or any other wp core resources, means its performance is supreme

hakka Passport does not need script enqueuing nor localizing var names, also does not make any difference in the sense of usage for anonymous or logged session, it just exists

unless wp nonce, hakka Passport provides a comprehensive privat log of all requests and no admin has to trust empty promises, we show what it does

also, not less important, reṕlacement does not mean wp nonce is removed from the host system, it coexists perfectly, just the Metro Modules do not use it anymore, any other plugin installed and not migrated to be a Metro Module can keep using nonce with the same constraints it ever had

if you have any doubt or curiousity feel free to comment and ask.


hakka quote … 2025, meanwhile we travel to to mars and they are not able to make such a silly thing

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *