How to Add Form Key in Magento 2

Adding form key in Phtml in Magento 2 is a way of preventing the cross-site request forgery.

As per Wikipedia, the cross-site request forgery means,

“An innocent end-user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account. ”

When you add form key in Magento 2, you keep your site safe from spammers trying to post to your forms from other sites as if you!

If the site is vulnerable to XSRF attack, a spammer can create his/her own form and post to any form handler controller action in the Magento 2 store. The below solution enables a check on the included form_key parameter with the form post and ignores any post which fails this verification.

Implementing the below solution will tell Magento to check for a layout block with the name “formkey”, output and store that unique key for a user session.

Method to add form key in Magento 2:

Create CMS Page : custom_form

{{block class="Vendor\Module\Block\BlockName" template="Vendor_Module::customForm.phtml"}}

1

{{block class="Vendor\Module\Block\BlockName" template="Vendor_Module::customForm.phtml"}}

Create block File : BlockName.php

<?php

namespace Vendor\Module\Block;

use Magento\Backend\Block\Widget\Context;

use Magento\Framework\Data\Form\FormKey;

use Magento\Framework\View\Element\Template;

class BlockName extends Template

{

protected $formKey;

public function __construct(Context $context, FormKey $formKey, array $data = [])

{

$this->formKey = $formKey;

parent::__construct($context, $data);

}

public function getFormKey()

{

return $this->formKey->getFormKey();

}

Create customForm.phtml

Custom Form key example:

Note: You can also add form key using Object manager, however is not recommended

<input name="form_key" type="hidden" value="<?php echo $block->getFormKey();?>">

</form>

Create customForm.phtml

<?php

$objectManager = \Magento\Framework\App\ObjectManager::getInstance();

$formKey = $objectManager->get('Magento\Framework\Data\Form\FormKey');

Custom Form key example

<input name="form_key" type="hidden" value="<?php echo $formKey->getFormKey();?>">

</form>

That’s it. Also to prevent yourself from multiple form submission and storing same data of same user, once clicked on submit button disable button on form submit in Magento 2.

Any doubts on the topic can be mentioned in the Comments section below. I’d be happy to help.

Please share the solution with Magento community via social media.

Thank you.

Continue Reading:

Fixed: “Invalid Form Key. Please Refresh The Page” in Magento 2

4.8

(based on 21 Reviews)

Chandresh Chauhan

He has been with Meetanshi for more than three years now as a certified Magento developer. A silent guy whom you can always find solving clients' issues, is an avid reader too.

How to Change Magento 2 Base URL

How to Give Discount on Payment Methods in Magento 2

How to Add Form Key in Magento 2

Method to add form key in Magento 2:

Custom Form key example:

Custom Form key example

Prev

Next

Solved: Magento Newsletter Unsubscribe Link Not Working

How to Enable/Disable Demo Store Notice in Magento 2

Leave a Reply Cancel reply

Customer Service

Quick Links

Address

Client's Love

How to Add Form Key in Magento 2

Method to add form key in Magento 2:

Custom Form key example:

Custom Form key example

Prev

Next

Solved: Magento Newsletter Unsubscribe Link Not Working

How to Enable/Disable Demo Store Notice in Magento 2

Leave a Reply Cancel reply

Customer Service

Quick Links

Address

Client's Love

Share

Copy short link