Update qty on cart page doesn't work because of formkey conflict
-
29-09-2020 - |
Question
Configuration: Varnish + Pagecache module, Redirect all pages to www. in htaccess
Issue: Whenever someone hits non-www page a PAGECACHE_FORMKEY cookie is stored. Then they get redirected to www. and another PAGECACHE_FORMKEY cookie is stored but with a different value.
My code has the formkey:
<form action="<?php echo $this->getUrl('checkout/cart/updatePost') ?>" method="post">
<?php echo $this->getBlockHtml('formkey'); ?>
Tried with:
<form action="<?php echo $this->getUrl('checkout/cart/updatePost') ?>" method="post">
<input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey(); ?>"/>
Still doesn't work, as Mage::getSingleton('core/session')->getFormKey()
outputs the second formkey. If I delete the first PAGECACHE_FORMKEY then it will work.
How can I bypass formkey verification on checkout/cart/updatePost
?
(This has nothing to do with my theme, it happens with the default theme too, so I guess it is an issue with the connection that PageCache module establishes between varnish and the magento application. )
Solution
The solution was to disable formkey validation on the checkout_cart_updatePost
event.
function disableCsrf($observer)
{
$events = array(
'checkout_cart_updatePost',
);
$route = $observer->getEvent()->getControllerAction()->getFullActionName();
if (in_array($route, $events)) {
$key = Mage::getSingleton('core/session')->getFormKey();
Mage::app()->getRequest()->setParam('form_key', $key);
}
}
Same as in SupportDesk_CartFormKey
module.