Upon installing Magento security patch SUPEE-9767, you’ll be asked to enable the Magento formkey validation on checkout. A message will appear after refreshing cache following patch installation informing you of such. And displays at the top of the Magento admin panel. It reads, “Important: Formkey validation on checkout disabled. This may expose security risks. We strongly recommend to Enable Form Key Validation On Checkout in Admin / Security Section, for protect your own checkout process.”
Before we enabled this feature we read up on it. And found out that if you use custom Magento theme files you will more than likely run into problems. For instance, the SUPEE-9767 patch will override the checkout base files to include formkey validation. However, if you have custom theme files you will need to add formkey code to those particular files in order for this security feature to work. There is also a checkout formKey theme patch available on GitHubGist that will add the formkey to your custom Magento theme files. We, however, did not use this patch and just applied the code manually to the custom checkout files.
Add Formkey Validation To Custom Checkout Files
Here is a list of the checkout forms that need to be updated with the formkey validation code. We’ve also listed them below for your convenience. Of course, this will need to be done before enabling the Magento formkey validation in the admin panel.
app/design/frontend/<package>/<theme>/template/checkout/cart/shipping.phtml app/design/frontend/<package>/<theme>/template/checkout/multishipping/billing.phtml app/design/frontend/<package>/<theme>/template/checkout/multishipping/shipping.phtml app/design/frontend/<package>/<theme>/template/checkout/multishipping/addresses.phtml app/design/frontend/<package>/<theme>/template/checkout/onepage/billing.phtml app/design/frontend/<package>/<theme>/template/checkout/onepage/shipping.phtml app/design/frontend/<package>/<theme>/template/checkout/onepage/payment.phtml app/design/frontend/<package>/<theme>/template/checkout/onepage/shipping_method.phtml app/design/frontend/<package>/<theme>/template/persistent/checkout/onepage/billing.phtml
The code that will need to be added to your theme’s custom checkout files is:
<?php echo $this->getBlockHtml('formkey'); ?>
This code was introduced earlier on in our post Magento Solution to SUPEE-8788 and Product Review Form. As you can see, it is an important security feature within several Magento security patches.
Here’s a tip if you don’t know where to add this bit of code within your theme’s custom files. Simply go to the base checkout files that were overridden by the security patch to include the formkey validation. Within those files, you should find the exact location to place the code. Furthermore, if your theme does not have one of the files listed above then there is no need for further action. As during the checkout process, Magento will use the base files if those files are not included in your custom theme.
Enable Formkey Validation On Checkout
Only enable this security feature after you have added formkey validation to your custom theme files. There is a link in the warning message that will direct you to the admin security section to make this change. The exact location in our Magento admin panel was System => Configuration => Advanced => Admin => Security. There we changed the “Enable Form Key Validation On Checkout” field to “Yes” and saved configuration changes.
After updating the necessary files and enabling formkey you will be redirected to the Magento admin panel login screen. Upon logging in you will notice that the message has disappeared due to the security feature enabled. Without delay make sure to test your checkout process after enabling this security feature.
Checkout Stuck At Payment Information After Enabling Formkey Validation
Important fix! We ended up running into a problem where the onepage checkout process was stuck at the payment information step. We could not bypass this step after filling in the required payment information. After further testing, we were able to find out that while the checkout process did not work in Chrome it did, however, work in Firefox. This we determined was because we had earlier tested the shopping cart in Chrome to see if it was working after we installed SUPEE-9767.
To resolve the problem, we cleared Chrome’s cookies and other site data. Upon retesting the checkout process we were able to get past the payment information step. And the checkout process no longer was stuck.
Another tip if you need time to resolve any issues with the checkout process. Simply disable the security feature requiring formkey validation at checkout. Your checkout process should work as expected without any problems until you resolve any issues on your end.