If you get the dreaded “Invalid form key” or “Ongeldige formuliersleutel” error while logging in or working in the admin, something is wrong with your setup.

Since version (and patch SUPEE-6788), Magento requires a secret form token to prevent XSRF attacks. Here are some solutions. For these solutions we assume that you have Magerun installed, because on Hypernode it is installed by default.

Wrong cookie domain or path?

If you cannot log in, check that your shop uses the right cookie domain and path. For example:

Here, no cookie domain or path are configured, which is ok (nonrestrictive). If the wrong domain or path is configured, you can correct this with:

Check cookie domain and path in Magento 2

For Magento 2, you can use the following command to check the cookie domain and path

To correct the path, use the following:

PHP choking on too many form values?

Create a file /data/web/public/.user.ini with this line:

Last resort: disable admin form key

If you are locked out of your admin panel, you could use this as last resort:

However, this should only be used as a temporary measure, so you can figure out what is wrong with your setup.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.