Form keys are not working for extensions
- Thread starter Harneet Singh
- Start date
Hi Lauren, Unfortunately I do not have test store.
I have this code in form.phtml
formKeyElement.setAttribute('value', '<?php echo Mage::getSingleton('core/session')->getFormKey(); ?>');
getFormKey returns litemagefmkeylmg string.
But when we submit form and try to validate in controller using following method:
protected function _getSession()
{
return Mage::getSingleton('core/session');
}
protected function _validateFormKey()
{
$formKeyFromRequest = $this->getRequest()->getParam('form_key', null);
$formKeyFromSession = $this->_getSession()->getFormKey();
if (!$formKeyFromRequest || $formKeyFromRequest != $formKeyFromSession) {
return false;
}
return true;
}
getFormKey returns valid key like L4Iexn1FiRZWdemB
this validation obviously will be failed...
I am not sure why different output from the same method call.
I have this code in form.phtml
formKeyElement.setAttribute('value', '<?php echo Mage::getSingleton('core/session')->getFormKey(); ?>');
getFormKey returns litemagefmkeylmg string.
But when we submit form and try to validate in controller using following method:
protected function _getSession()
{
return Mage::getSingleton('core/session');
}
protected function _validateFormKey()
{
$formKeyFromRequest = $this->getRequest()->getParam('form_key', null);
$formKeyFromSession = $this->_getSession()->getFormKey();
if (!$formKeyFromRequest || $formKeyFromRequest != $formKeyFromSession) {
return false;
}
return true;
}
getFormKey returns valid key like L4Iexn1FiRZWdemB
this validation obviously will be failed...
I am not sure why different output from the same method call.
form key value is unique per customer. We need to punch a hole for any place that reference the formkey. So the cached page is generic and can be shared by everyone. Server will just replace the real form key when serving to individual user. when magento output, it should replace litemage formkey with esi:include tags.
Do you have any plugin that will do html minify? It may delete those esi:include tags. You can try to enable "Use alternate ESI syntax" and see if it shows up. esi:include will be processed internally by lsws, so to end users, you will not see this and only see the real form key.
Do you have any plugin that will do html minify? It may delete those esi:include tags. You can try to enable "Use alternate ESI syntax" and see if it shows up. esi:include will be processed internally by lsws, so to end users, you will not see this and only see the real form key.
