Fixing Invalid form key / Ongeldige formuliersleutel

in MagentoTroubleshooting

If you get the dreaded “Invalid form key” or “Ongeldige formuliersleutel” error while logging in or working in the admin, something is wrong with your setup.

Since version (and patch SUPEE-6788), Magento requires a secret form token to prevent XSRF attacks. Here are some solutions.

Wrong cookie domain or path?

If you cannot log in, check that your shop uses the right cookie domain and path. For example:

$ magerun config:get web/cookie/*
| Path | Scope | Scope-ID | Value |
| web/cookie/cookie_domain | default | 0 | |
| web/cookie/cookie_httponly | default | 0 | 0 |
| web/cookie/cookie_lifetime | default | 0 | 86400 |
| web/cookie/cookie_path | default | 0 | |
| web/cookie/cookie_restriction | default | 0 | 0 |

Here, no cookie domain or path are configured, which is ok (nonrestrictive). If the wrong domain or path is configured, you can correct this with:

$ magerun config:set web/cookie/cookie_domain ""
$ magerun cache:flush

PHP choking on too many form values?

Create a file /data/web/public/.user.ini with this line:

max_input_vars = 75000

Last resort: disable admin form key

If you are locked out of your admin panel, you could use this as last resort:

$ magerun config:set admin/security/use_form_key 0
$ magerun cache:flush

However, this should only be used as a temporary measure, so you can figure out what is wrong with your setup.

Need help?

Magento is no easy open source CMS.¬†Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers.¬†Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.