plugin development - Maximum lifetime for nonce

In our project we allow users to buy a coupon ( WooCommerce product ) for some service. We save every coupon as a custom post type with all the customer data inserted during purchase.

We then via email send a link to download the coupon in PDF. We use WooCommerce PDF Invoices & Packing Slips plugin for generating PDFs and links are generated in this manner:

$url = wp_nonce_url( admin_url( 'admin-ajax.php?action=generate_wpo_wcpdf&template_type=Coupon-PDF&order_id=' . $order->id ), 'generate_wpo_wcpdf' );

The problem is obviously the lifetime of nonce. We would need to link to be active at least one year, meaning that we should set the nonce to 2 years. I did quite some research but could not find proper information.

Question is: what is the maximum lifetime for nonce?

Additionally: It would be great it somebody shared their experiences with extending nonce lifetime by a lot, like in this case.

In our project we allow users to buy a coupon ( WooCommerce product ) for some service. We save every coupon as a custom post type with all the customer data inserted during purchase.

We then via email send a link to download the coupon in PDF. We use WooCommerce PDF Invoices & Packing Slips plugin for generating PDFs and links are generated in this manner:

$url = wp_nonce_url( admin_url( 'admin-ajax.php?action=generate_wpo_wcpdf&template_type=Coupon-PDF&order_id=' . $order->id ), 'generate_wpo_wcpdf' );

The problem is obviously the lifetime of nonce. We would need to link to be active at least one year, meaning that we should set the nonce to 2 years. I did quite some research but could not find proper information.

Question is: what is the maximum lifetime for nonce?

Additionally: It would be great it somebody shared their experiences with extending nonce lifetime by a lot, like in this case.

• plugin-development
• functions
• cache
• customization
• nonce

Share Improve this question edited Aug 30, 2016 at 9:55 Josip Ivic 12511 silver badge2020 bronze badges asked Aug 30, 2016 at 9:19 DomasDomas 12311 silver badge66 bronze badges 2

• "We save every coupon as a custom post type with all the customer data inserted during purchase." - given this, why even bother with a nuclear nonce? Just run a routine every day that goes through the active posts and turns any off that are expired. – C C Commented Aug 30, 2016 at 13:41
• You can roll your own nonce and set the time to whatever you want - wordpress.stackexchange/a/212316/84219 – jgraup Commented Aug 30, 2016 at 19:53

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 2

As time varies, WordPress needs to allow for a nonce generated at 10:01 AM to be valid at 10:02 AM. It does this by using a time “tick” instead of the actual time, which is generated in two steps:

• First divide the lifespan of a nonce, in seconds, by two
• Divide the Unix timestamp by the above value, and round it up using ceil()

By default, the lifespan is 86400 seconds, or 24 hours (and can be adjusted with the nonce_life filter). Half this, 12 hours, is 43200.

Nonce time caveat Based on a 24-hour lifespan, a “tick” as calculated above is the same for each 12-hour span of a day. At 07:45 AM the “tick” is the same as 9:30 AM and 11:59 AM. But it will be one less than a “tick” created at 12:01 PM (a new 12-hour span within the day) or 15:30 PM.

Because of this, a WordPress nonce is not valid for exactly 24-hours from the moment that it was created, but up to 24 hours, depending how far into a 12-hour period a nonce was created.

Further reading: https://medium/myatus/wordpress-caching-and-nonce-lifespan-bb357d984da9