Categories


Archives


Recent Posts


Categories


Magento CSRF Protection

astorm

Frustrated by Magento? Then you’ll love Commerce Bug, the must have debugging extension for anyone using Magento. Whether you’re just starting out or you’re a seasoned pro, Commerce Bug will save you and your team hours everyday. Grab a copy and start working with Magento instead of against it.

Updated for Magento 2! No Frills Magento Layout is the only Magento front end book you'll ever need. Get your copy today!

Maybe if I write this down I’ll remember it.

You probably know all Magento admin console URLs need a nonce/key in the URL

http://magento.example.com/admin/catalog_product/edit/id/174/key/c4df66cd2118cb5422c9fb5eff7eq4f0/

That’s why we use the Mage::getModel('adminhtml/url') model object to generate URLs.

What I always forget is any POST to Magento’s backend also needs a form_key variable. Double the CSRF protection. Without this a POST will be redirected to the dashboard. You can generate a form_key with

Mage::getSingleton('core/session')->getFormKey()

Copyright © Alan Storm 1975 – 2019 All Rights Reserved

Originally Posted: 10th May 2013