What is the best way to deal with a failed nonce validation?

Question

I have a vague understanding of nonces but have a little confusion.

What is the correct response when nonce validation fails?

Under what circumstances could nonce validation fail? what is the risk to genuine users?

Answer 1

The goal of nonces with forms is generally two fold: to ensure the data is only submitted once, and to ensure the user actually does the submitting. The second point helping defend against cross site request forgeries: http://en.wikipedia.org/wiki/Cross-site_request_forgery

Dealing with them depends on the context. If a user is filling out a form and the nonce fails, refresh the page (pre-fill the data), say something benign like "Oops there was a problem, please check your input and submit again". A valid user can hit submit, an attack will be thwarted, or the user at least made aware of what's happening.

Validation can fail for a few reasons. If you've got some form of browser cache enabled, a user visits one form (with a given nonce), then navigates to a different one (with it's own nonce) and returns to the first via the back button the nonce will likely fail. By allowing the browser cache to occur they haven't refreshed the page, and your server is likely only storing a single valid nonce for them in the session so they wont match. A valid use case, and a failed nonce (not one I'd lose sleep over, just make sure the form is re-populated).

By and large my recommendation would be: Tell the user to submit again, subtly imply they should check their input, make it easy to submit again.