Update qty on cart page doesn't work because of formkey conflict

Question

Configuration: Varnish + Pagecache module, Redirect all pages to www. in htaccess

Issue: Whenever someone hits non-www page a PAGECACHE_FORMKEY cookie is stored. Then they get redirected to www. and another PAGECACHE_FORMKEY cookie is stored but with a different value.

My code has the formkey:

<form action="<?php echo $this->getUrl('checkout/cart/updatePost') ?>" method="post">
    <?php echo $this->getBlockHtml('formkey'); ?>

Tried with:

    <form action="<?php echo $this->getUrl('checkout/cart/updatePost') ?>" method="post">
<input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey(); ?>"/>

Still doesn't work, as Mage::getSingleton('core/session')->getFormKey() outputs the second formkey. If I delete the first PAGECACHE_FORMKEY then it will work.

How can I bypass formkey verification on checkout/cart/updatePost?

(This has nothing to do with my theme, it happens with the default theme too, so I guess it is an issue with the connection that PageCache module establishes between varnish and the magento application. )

Answer 1

The solution was to disable formkey validation on the checkout_cart_updatePost event.

function disableCsrf($observer)
{
    $events = array(   
        'checkout_cart_updatePost',
    );
    $route = $observer->getEvent()->getControllerAction()->getFullActionName();

    if (in_array($route, $events)) {
        $key = Mage::getSingleton('core/session')->getFormKey();
        Mage::app()->getRequest()->setParam('form_key', $key);
    }
}

Same as in SupportDesk_CartFormKey module.