May be the title sounds a little contradictious, as WordPress nonces are not storable data, so they don’t need to be expired. They are just hashed functions which are used for anti-CSRF purposes.
But for some special cases we may need to make nonce “to be expired”.
I mean, at first request it should work, after second request it should return false. Or it should work this day, since tomorrow it should return invalid.
This operation smells anti-bruteforce attempt, rather than anti-CSRF. Because anti-CSRF technology doesn’t have any relation with time and expiration.
So, our aim is to create a form which works only one time or temporary. This solution may be useful when we do ajax requests which should run only at once via setTimeout. So after
Let’s do that. (i write sample for ajax nonces. But same method can be used with input, url nonces too.)