Hello @luislu ,
This issue is caused by page caching. The security nonce (ps-password-nonce) is generated dynamically and embedded in the page output. When the page is cached by a caching plugin, the nonce is also cached and, after some time, it expires.
When this happens, any AJAX request that uses the cached nonce will return an “Security check failed” error.
To fix this, please configure your caching plugin to do one of the following:
- Exclude the page where Passster is used from page cache, or
- Exclude the passster-public.js script from being cached.
After excluding the page or script, please clear the cache and test again.
This is standard WordPress behavior when nonces are used on cached pages.
Have a great day!
Thread Starter
Diiamo
(@luislu)
I bypass passster cookie, will this help?
Hello @luislu,
Unfortunately, no. Bypassing only the Passster cookie is not enough.
Are you using a caching plugin? If so, which one?
Thread Starter
Diiamo
(@luislu)
“Exclude the passster-public.js script from being cached.” As I know, only HTML can be excluded from being cached. How to exclude passster-public.js?
Do you mean exclude from minify?
-
This reply was modified 3 months, 3 weeks ago by
Diiamo.
Thread Starter
Diiamo
(@luislu)
Hi, @altesin I am using W3TC and Super Page Cache by Themeisle, cloudflare CDN free plan, thank you
-
This reply was modified 3 months, 3 weeks ago by Diiamo.
Hello @luislu ,
This issue is caused by HTML page caching through Super Page Cache and Cloudflare. Because the security nonce for password verification is added inline to the page, it is cached and expires over time.
To prevent this, we recommend excluding the Passster-protected page from HTML page caching in Super Page Cache or Cloudflare.
Thread Starter
Diiamo
(@luislu)
Hi @altesin ,
How long will security nonce expires/ change?
Thread Starter
Diiamo
(@luislu)
If can automatically clear the page cache within the security nonce expiration date, can solve this issue, right?
-
This reply was modified 3 months, 1 week ago by Diiamo.
Hello @luislu ,
By default, a WordPress nonce is valid for up to 24 hours (internally it rotates every ~12 hours). After that, any request using that nonce will fail and return the “Security check failed” message.
If you automatically clear the cache every X hours, then yes, it will appear to “fix” the problem, because a new page will be generated and a fresh nonce will be inserted.
The proper solution is to exclude Passster-protected pages from page cache.
Thread Starter
Diiamo
(@luislu)
I find a solution: Set to bypass the page cache on the cache plugin, then set the cache expiration time within 12 hours on the CDN.
Thread Starter
Diiamo
(@luislu)
Hi @altesin ,
The new version today, it says”Changed: Prevent nonce from being cached.”, does it mean can cache the page html for longtime now?
