Understanding some interactions between cookies, sessions, nonces, multisite...
I just spent a *very* dull few hours tracing a problem, whereby
wp_create_nonce() returned a nonce which wp_verify_nonce() (running via
AJAX) did not accept.
This happened as follows:
1) the site was a sub-folder based multisite
2) the nonce was created by a page in the network dashboard, at
wp-admin/network/settings.php, and output in some JS on the settings page.
3) the ajaxurl JS variable being output by wp-admin/admin-header.php
goes via the main site which in this case lived at /main, and thus
ajaxurl was set to wp-admin/main/admin-ajax.url
4) The browser had a different wordpress_logged_in_(hex) cookie value
for /main than for /. i.e. Two separate cookies existed in the browser.
(The value of (hex) was the same - i.e. neither cookie lookup was empty).
5) This resulted in wp_get_session_token() returning a different value
when the nonce was checked (via AJAX, which got the cookie whose path
was set to /main) compared to when it was set (via the network dashboard
page, which got the cookie whose path was set to /).
I cleared all my cookies, and logged in via /wp-login.php again. Same
happened. Both cookies returned.