We have a wordpress site (not multi-site) running on a distributed system, where two (or more) servers sit behind a load balancer. We've routed most (not all) requests to /wp-admin/ to hit a specific server (call it server1) and any front-end traffic can hit any server. We also copy all files inside /public_html/ from server1 to the other servers, so we don't have to use NFS or similar.
We noticed that when server1 creates a request using wp_create_nonce and then server2 tries to verify it using wp_verify_nonce the validation fails.
The example we have was with wp-cron.php initiating an async request hitting the application, which always fails if server2 deals with the request and never fails if server1 deals with it.
So when server1 calls /wp-admin/admin-ajax.php?action=wc_whatever_action&nonce=12345, if the request goes into server1 it works fine, but if it hits server2, it fails with 403.
If we were to use Sticky Sessions, this issue would probably go away, but on Nginx Load Balancers, this only comes with Nginx Plus at a significant cost and alternatives like the CloudFlare Load Balancer doesn't quite meet our needs, so I'm exploring different solutions.
All salts in wp-config.php are the same across all servers.
I've seen a couple of plugins around PHP Sessions where they store the $_SESSION in the SQL/Redis, but I'm not too sure those will work, as i don't think WordPress acutally uses Sessions in core.