Best practice using nonce with front end login?


I have built some functionality into my wordpress theme to allow users to register and login through the front end using ajax functionality to verify and register/log the user in.

My question is regarding the nonce. Because I use a caching plugin, for a certain period of time between the nonce expiring and the page cache refreshing , the page displays an expired nonce and therefore the ajax login does not work and its sending the old cached nonce.

My question is, what is the best practice for this situation?

As I see it I have several options:

1- Remove the nonce completely for login/registration and just leave it open so anyone can try to log in/register directly through ajax. Is this a security issue or is it standard?

2- Somehow load the nonce dynamically through another ajax request to bypass the caching feature.

3- Build my own nonce system that also refreshes the cache when the nonce is updated. (seems overkill)

I feel like this should be fairly standard and I shouldnt have to re-invent the wheel but I cant seem to find an answer. I’ve seen some people online say one should just refresh the cache more often, but even then, from my calculations, there would still be a period of time when the nonce expires and the cache refreshes where the nonce would be invalid.

Thanks for the help!

Source link