Wordpress - wp_verify_nonce vs check_admin_referer

I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following:

Actually, if the nonce is valid the referrer should not be checked. The unreliability of referrers is one of the reasons that nonces are used. Nonces replace referrer checking entirely. The only time we check the referrer is when handling the -1 backward compatibility condition. -1 means that someone is not using nonces so we fall back to referrer checking. This usage is now very rare. check_admin_referer() is badly named now that it almost never does referrer checking. It would be better named something like check_nonce(), but we keep it as is for back compat and old times sake.

So there is in fact there is no difference.


NO! BEWARE !!!

Don't count on check_admin_referer() without correct parameters! Because, in some cases it may not die() (as opposed to your expectations), instead it will just return the false response.

Look through the outlined behavior of source code logic:

function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
    $result   = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;

    //Now, "die() check"
    if ( ! $result && ( -1 !== $action || strpos( wp_get_referer(), admin_url() ) !== 0 ) ) {
        die();
    }
    return $result;
}

So, you need to realize what the logic does. Here breakdown:

A) if you call just check_admin_referrer() without parameters:

  • REMEMBER, it will use the automatically built-in _wpnonce value (that is safe, but still remember to have exactly that field when submitting).
  • As you called it without paremeters, it uses default -1 value for action, leading the die() check to be skipped and function will not die()
  • So, you should always use (when calling without parameters):

if ( check_admin_referer() ) exit;

B) if you want check_admin_referrer to die automatically, then you should always create your nonces & call it with parameters:

check_admin_referrer($action_name, $name_field );

Tags:

Security

Admin

Nonce

Related

Wordpress - add_action reference a class Wordpress - Remove or Edit <dc:creator> in Feeds Wordpress - Give users a maximum upload capacity; limit the number of files a user can upload OR limit the number of files per upload Wordpress - How to define WP_DEBUG as true outside of wp-config.php? Wordpress - Custom post type: Add "Edit | Quick Edit | Trash | View" links to date (if title is not shown in column)? Wordpress - What is the correct way to use WordPress functions outside WordPress files? Wordpress - Allowing users to edit only their page and nobody else's Wordpress - Can I Prevent Enumeration of Usernames? Wordpress - Edit "thank you for creating with Wordpress" in version 3.3.1 Wordpress - Does wordpress create activity, update logs? Wordpress - Disable new user notification to admin email Wordpress - What is the correct MIME type for PSD (Photoshop)

Recent Posts