Can I make my wordpress nonce have a quicker expiration? (via wp_verify_nonce)

Question

Wordpress has a nonce mechanism whereby a plugin can emit a nonce into client-side code, and then verify the nonce when the client communicates back to the server.

I looked in the source code for wp_verify_nonce() (in wp-includes/pluggable.php), and see that it returns true if the nonce is 24 hours old or less.

Is it possible for me to create a nonce that can be verified to be ... let's say... .1 minute old?

How?

I think there is a way via add_filter() and nonce_life. But I don't want the nonces everywhere to have a short life. I want only the nonce used by my plugin to have a short life.

Answer 1

I found little documentation on the wordpress nonce.

While the code itself is not very complicated, and there is a way to simply replace the wp_verify_nonce() function, I believe the nonce is used in many places throughout wordpress, and I'm not confident that my replacement will not break other things.

Lacking any helpful suggestions from here or other places, I abandoned the idea of making my nonce expire more quickly and just added my own nonce/timestamp field.

The plugin I am writing generates a nonce and then embeds it in a script block, which is then rendered in the webpage. When the Javascript in the page communicates back to the wordpress admin-ajax.php, it sends back the nonce. Wordpress then verifies the nonce with wp_verify_nonce() and allows the request if the nonce has not expired - either 12 or 24 hours as you wish. This check also verifies the identity of the caller.

What I did was simply generate another nonce, an encrypted timestamp. It gets embedded into the javascript script block, in the same way as the WP nonce. It gets retransmitted in the same way, and verified in a similar manner: I decrypt and check that the timestamp is "recent".
The difference is that my plugin controls the verification so I can set the threshold for "recency".