My understanding is that wordpress nonces (not exactly a "number used once") prevent cross-origin request forgery and last 12 hours.
I'm displaying a schedule of classes with a registration button for each class. I am re-using the nonce so that each button repeats the same nonce in a data attribute:
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
Users aren't logged in to wordpress. I'm storing their account data, returned from a successful API login, in a WP_Session variable.
Nonce is created with this line:
wp_create_nonce( 'register_for_an_event' )
And verified in a an ajax function here:
check_ajax_referer($_REQUEST['nonce'], "register_for_an_event", false);
I am logging some of the transactions to a text file and finding that different users are frequently submitting the same nonce, which seems natural as it's simply an html data attribute.
Is this a reasonable use of wp nonces?
The reason I'm concerned is that I'm told that intermittently a user will attempt to register for an event via the API, and instead, the previous user to register will be added to the event a second time.
Since users to not have WP accounts, I'm imagining that nonces are not the solution to this problem.
My understanding is that wordpress nonces (not exactly a "number used once") prevent cross-origin request forgery and last 12 hours.
I'm displaying a schedule of classes with a registration button for each class. I am re-using the nonce so that each button repeats the same nonce in a data attribute:
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
<button data-nonce="85bad21a61" data-event="unique-data">Unique</button>
Users aren't logged in to wordpress. I'm storing their account data, returned from a successful API login, in a WP_Session variable.
Nonce is created with this line:
wp_create_nonce( 'register_for_an_event' )
And verified in a an ajax function here:
check_ajax_referer($_REQUEST['nonce'], "register_for_an_event", false);
I am logging some of the transactions to a text file and finding that different users are frequently submitting the same nonce, which seems natural as it's simply an html data attribute.
Is this a reasonable use of wp nonces?
The reason I'm concerned is that I'm told that intermittently a user will attempt to register for an event via the API, and instead, the previous user to register will be added to the event a second time.
Since users to not have WP accounts, I'm imagining that nonces are not the solution to this problem.
Nonces are not the way to solve your problem. You're using it correctly. I would look at the $wpdb->insert array you're probably using, and implement a check for data to exist that matches the proposed "new" entry.
I actually set up a Twilio SMS to fire off when weird validation errors are encountered. I have it text me a message and the database row id. I usually know about the problem while my client is still on their device having trouble. They think I'm magic when I text them and ask if they're having an issue.