Why is form key added to content on each page?

The form key block is added to the content container of each page in Magento 2 by the Magento_Theme default.xml.

What is the purpose of adding this to every page in the middle of content?

https://github.com/magento/magento2/blob/2.0/app/code/Magento/Theme/view/frontend/layout/default.xml

edited yesterday

Himanshu

702419

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

add a comment |

The form key block is added to the content container of each page in Magento 2 by the Magento_Theme default.xml.

What is the purpose of adding this to every page in the middle of content?

https://github.com/magento/magento2/blob/2.0/app/code/Magento/Theme/view/frontend/layout/default.xml

edited yesterday

Himanshu

702419

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

add a comment |

The form key block is added to the content container of each page in Magento 2 by the Magento_Theme default.xml.

What is the purpose of adding this to every page in the middle of content?

https://github.com/magento/magento2/blob/2.0/app/code/Magento/Theme/view/frontend/layout/default.xml

edited yesterday

Himanshu

702419

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

The form key block is added to the content container of each page in Magento 2 by the Magento_Theme default.xml.

What is the purpose of adding this to every page in the middle of content?

https://github.com/magento/magento2/blob/2.0/app/code/Magento/Theme/view/frontend/layout/default.xml

magento2

edited yesterday

Himanshu

702419

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

edited yesterday

Himanshu

702419

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

edited yesterday

Himanshu

702419

edited yesterday

Himanshu

702419

edited yesterday

Himanshu

702419

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

asked Sep 2 '16 at 13:40

LM_Fielding

7131436

add a comment |

1 Answer
1

active

oldest

votes

Form key in Magento are a means of preventing against Cross Site Request Forgery, in short, it's to keep us safe from people trying to post to our forms (like add to cart) from other sites.

Since Magento is already adding a form key for every page, what we all need to do is, validate this form key while submitting any data from that particular page.

For an example, Wishlist module is validating this form key when we add wishlist item to the cart.

<?php

namespace MagentoWishlistControllerIndex;



use MagentoFrameworkAppAction;

use MagentoCatalogModelProductException as ProductException;

use MagentoFrameworkControllerResultFactory;



class Cart extends MagentoWishlistControllerAbstractIndex

{

    ...



    /**

     * @var MagentoFrameworkDataFormFormKeyValidator

     */

    protected $formKeyValidator;



    ...

    public function __construct(

        ...

        MagentoFrameworkDataFormFormKeyValidator $formKeyValidator

    ) {

        ...

        $this->formKeyValidator = $formKeyValidator;

        ...

    }



    ...

    public function execute()

    {

        /** @var MagentoFrameworkControllerResultRedirect $resultRedirect */

        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);

        if (!$this->formKeyValidator->validate($this->getRequest())) {

            return $resultRedirect->setPath('*/*/');

        }



        ...

    }

}

Similarly, we could use this MagentoFrameworkDataFormFormKeyValidator class to validate our forms against CSRF.

answered yesterday

Shyam

1,307727

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f134495%2fwhy-is-form-key-added-to-content-on-each-page%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

Form key in Magento are a means of preventing against Cross Site Request Forgery, in short, it's to keep us safe from people trying to post to our forms (like add to cart) from other sites.

Since Magento is already adding a form key for every page, what we all need to do is, validate this form key while submitting any data from that particular page.

For an example, Wishlist module is validating this form key when we add wishlist item to the cart.

<?php

namespace MagentoWishlistControllerIndex;



use MagentoFrameworkAppAction;

use MagentoCatalogModelProductException as ProductException;

use MagentoFrameworkControllerResultFactory;



class Cart extends MagentoWishlistControllerAbstractIndex

{

    ...



    /**

     * @var MagentoFrameworkDataFormFormKeyValidator

     */

    protected $formKeyValidator;



    ...

    public function __construct(

        ...

        MagentoFrameworkDataFormFormKeyValidator $formKeyValidator

    ) {

        ...

        $this->formKeyValidator = $formKeyValidator;

        ...

    }



    ...

    public function execute()

    {

        /** @var MagentoFrameworkControllerResultRedirect $resultRedirect */

        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);

        if (!$this->formKeyValidator->validate($this->getRequest())) {

            return $resultRedirect->setPath('*/*/');

        }



        ...

    }

}

Similarly, we could use this MagentoFrameworkDataFormFormKeyValidator class to validate our forms against CSRF.

answered yesterday

Shyam

1,307727

add a comment |

Form key in Magento are a means of preventing against Cross Site Request Forgery, in short, it's to keep us safe from people trying to post to our forms (like add to cart) from other sites.

Since Magento is already adding a form key for every page, what we all need to do is, validate this form key while submitting any data from that particular page.

For an example, Wishlist module is validating this form key when we add wishlist item to the cart.

<?php

namespace MagentoWishlistControllerIndex;



use MagentoFrameworkAppAction;

use MagentoCatalogModelProductException as ProductException;

use MagentoFrameworkControllerResultFactory;



class Cart extends MagentoWishlistControllerAbstractIndex

{

    ...



    /**

     * @var MagentoFrameworkDataFormFormKeyValidator

     */

    protected $formKeyValidator;



    ...

    public function __construct(

        ...

        MagentoFrameworkDataFormFormKeyValidator $formKeyValidator

    ) {

        ...

        $this->formKeyValidator = $formKeyValidator;

        ...

    }



    ...

    public function execute()

    {

        /** @var MagentoFrameworkControllerResultRedirect $resultRedirect */

        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);

        if (!$this->formKeyValidator->validate($this->getRequest())) {

            return $resultRedirect->setPath('*/*/');

        }



        ...

    }

}

Similarly, we could use this MagentoFrameworkDataFormFormKeyValidator class to validate our forms against CSRF.

answered yesterday

Shyam

1,307727

add a comment |

Form key in Magento are a means of preventing against Cross Site Request Forgery, in short, it's to keep us safe from people trying to post to our forms (like add to cart) from other sites.

Since Magento is already adding a form key for every page, what we all need to do is, validate this form key while submitting any data from that particular page.

For an example, Wishlist module is validating this form key when we add wishlist item to the cart.

<?php

namespace MagentoWishlistControllerIndex;



use MagentoFrameworkAppAction;

use MagentoCatalogModelProductException as ProductException;

use MagentoFrameworkControllerResultFactory;



class Cart extends MagentoWishlistControllerAbstractIndex

{

    ...



    /**

     * @var MagentoFrameworkDataFormFormKeyValidator

     */

    protected $formKeyValidator;



    ...

    public function __construct(

        ...

        MagentoFrameworkDataFormFormKeyValidator $formKeyValidator

    ) {

        ...

        $this->formKeyValidator = $formKeyValidator;

        ...

    }



    ...

    public function execute()

    {

        /** @var MagentoFrameworkControllerResultRedirect $resultRedirect */

        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);

        if (!$this->formKeyValidator->validate($this->getRequest())) {

            return $resultRedirect->setPath('*/*/');

        }



        ...

    }

}

Similarly, we could use this MagentoFrameworkDataFormFormKeyValidator class to validate our forms against CSRF.

answered yesterday

Shyam

1,307727

Form key in Magento are a means of preventing against Cross Site Request Forgery, in short, it's to keep us safe from people trying to post to our forms (like add to cart) from other sites.

Since Magento is already adding a form key for every page, what we all need to do is, validate this form key while submitting any data from that particular page.

For an example, Wishlist module is validating this form key when we add wishlist item to the cart.

<?php

namespace MagentoWishlistControllerIndex;



use MagentoFrameworkAppAction;

use MagentoCatalogModelProductException as ProductException;

use MagentoFrameworkControllerResultFactory;



class Cart extends MagentoWishlistControllerAbstractIndex

{

    ...



    /**

     * @var MagentoFrameworkDataFormFormKeyValidator

     */

    protected $formKeyValidator;



    ...

    public function __construct(

        ...

        MagentoFrameworkDataFormFormKeyValidator $formKeyValidator

    ) {

        ...

        $this->formKeyValidator = $formKeyValidator;

        ...

    }



    ...

    public function execute()

    {

        /** @var MagentoFrameworkControllerResultRedirect $resultRedirect */

        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);

        if (!$this->formKeyValidator->validate($this->getRequest())) {

            return $resultRedirect->setPath('*/*/');

        }



        ...

    }

}

Similarly, we could use this MagentoFrameworkDataFormFormKeyValidator class to validate our forms against CSRF.

answered yesterday

Shyam

1,307727

answered yesterday

Shyam

1,307727

answered yesterday

Shyam

1,307727

answered yesterday

Shyam

1,307727

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Magento Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Mfrhtyj