Nonces are generated numbers used to verify origin and intent of requests for security purposes.
A new one is created if one logs out and then back in.
We can verify a supplied nonce value against the value WP created. It returns true or false.
As the WP nonce was created on the page in WP, we can be sure the data received came from that page.
WP uses the tick cycle of 12 hrs starting from midnight.
A nonce is valid for 2 ticks, so a tick will not be valid in the third tick, so a maximum of 24hrs not a full 24hrs.
Great article on nonces: https://www.bynicolas.com/code/wordpress-nonce/Session Token:
- $PageNonce = wp_create_nonce('NoncePageTest')
- PageNonce = a1b3da5ea2
- Invalid Nonce $InvalidNonce set by us:
- InvalidNonce = 3dd3445tt3r33
- Verify our CREATED NONCE: wp_verify_nonce($PageNonce,'NoncePageTest')
- NONCE is VALID
- Verify our INVALID NONCE: wp_verify_nonce($InvalidNonce,'NoncePageTest')
- NONCE is INVALID