Forum Replies Created
-
In reply to: Nonce check fail using reverse proxy
Was offline for a week and finally found some time to give it a try. I used the coding below to use HTTP_X_FORWARDED_HOST if it’s provided for function bhp_verify_nonce_request, so I do not skip any checks this way.
function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {// Get the home URL
$home_url = strtolower( home_url() );// Build the currently requested URL
$scheme = is_ssl() ? 'https://' : 'http://';
$request_host = $_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"];
$requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );// Check the nonce
$result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;// Nonce check failed
if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) )
$result = false;// Do extra things
do_action( 'bbp_verify_nonce_request', $action, $result );return $result;
}
In reply to: Nonce check fail using reverse proxyThanks so much for your kind advice.
Solving it on the proxy host as proposed by @zaerl is most likely the best way, however reverse proxy is running on a shared web hoster system, and I just have a web-Interface to enter the forward address. I’ll check, but maybe it’s not possible to apply the parameters suggested by @zaerl.
Maybe there is a chance HTTP_X_FORWARDED_HOST is set, then I could use
something like this(??):$_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"](sorry if this is wrong syntax, but I don’t know PHP)
I’ll have a look at 2.2 once it ‘s released. Maybe this also helpful.
BTW: Is a nonce check not usually using a cryptographic hash (token). I wonder here you just check HTTP-Header attributes?Is this a strong check?
