Customer Login Doesn't Work in Magento 1.9
The answer is that your theme does not supply a variable called
form_key
.
Just as stated above I have to add:
<input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey(); ?>" />
<input type="hidden" name="form_key" value="<?php echo Mage::getSingleton('core/session')->getFormKey(); ?>" />
you add it right after
<ul class="form-list">
to each one of my
login.phtml
files for the theme.
You may also have problems with update quantity of cart items
Take a look at http://iamvikram.com/magento-form-keys-in-version-1-8/ for more information
Here is the importance of
form_keys
:
Since the beginning of time, Magento's backend contained a form key that protected against XSS attacks [1]. With Magento 1.8 the form key has entered the frontend for pretty much the same reason: to protect against form submission from another website, using your browser. a malicious attacker can add stuff to your cart while you're in a different browser tab or even complete an order for you. This relies on predictable URLs, because the site will not have access to the actual HTML content in the browser tab where you have your Magento order waiting. Everything sent to the Magento store will however submit your cookies and thus use your session.
By adding a unique key to each form or to each link that generates an action on the server, the URL or form content becomes no longer predictable. The form key is stored in the session data and validated upon submission to the server. If they don't match, you get a form key error and the action is not completed.