wp_create_nonce() and wp_verify_nonce()

use the logged in user ID and will not work for other users or if the user has logged out.

$OurNonceField = wp_nonce_field( 'MySiteSomeUniqueNonceName', 'my_site_request_nonce', true, false );   //Used to validate that the contents of the form request came from the current site and not somewhere else

$OurNonceField = $_REQUEST['_wpnonce'];
if (!wp_verify_nonce( $OurNonceField, 'MySiteSomeUniqueNonceName' ))
    die( 'Security check' );     //Nonce is not valid.

MySiteSomeUniqueNonceName
This field is actually defined as an action name, so you can set this differently per form on your site, so that it becomes individual form action based. However, from a basic security point of view just setting it away from the WP default is good security and using the same name sitewide is arguably good enough.

my_site_request_nonce
The field name is used when submitting the nonce via POST or GET. This name is publically viewable.

Using with Ajax Calls

PHP handles the WordPress user_id with an ajax call for you, so the nonce functions can still work and are tied to specific users. For security you should not pass the user_id yourself, instead use the wordpress function to get it

//PHP create nonce
$AjaxNonce = wp_create_nonce( 'my-nonce-special-string' );


//Javascript use it
  var post_data = {
             'action': 'my_ajax_callback',   //The name of the ajax callback action in functions.php
             'security': '$AjaxNonce',
             'my_value_1': 9876
  };

  jQuery.post(ajaxurl, post_data);


//PHP Verify it in the ajax function
  check_ajax_referer('my-nonce-special-string', 'security');      //Check the nonce (nonces are tied to the user ID which is handled by php).  Will die(); if security cannpot be verified
  $user_id = get_current_user_id();                               //Use this if your function wants the wordpress user_id