[Closed] Handling cached form keys with LiteMage

[LSUser12]

Is there a best practice here in regards to how form keys (secret keys) should be handled?

As an example, the product page itself will be cached with the form key then being cached as well. The customer will add the product to their cart, and it will work fine the first time. The second time you try to add a product to your cart from the same page, the key will be cached and the addition to your cart will be subsequently rejected by Magento.

Short of disabling secret keys in Magento, is there a suggested solution to this problem? I could see LiteMage automatically flushing the product page of the associated cart addition as one solution (though a complicated one most likely). Similarly we could hole punch the form key itself, but that also sounds tricky.

Any advice on how customers are supposed to handle that?

 

[Lauren]

formkey is always privately hole punched. It is handled specially and by default. So the product page each user view will contain only his own form key. This form key will be purged by login/logout event.
If you see it's not working properly, maybe some other cause, I can login to your server and take a look.

 

[LSUser12]

> formkey is always privately hole punched. It is handled specially and by default. So the product page each user view will contain only his own form key. This form key will be purged by login/logout event.

In the scenario I ran into, the issue is that the form key needed to be purged each cart addition, not on a login/logout event. Maybe it does work if you add a product to your cart, log out, then log in , then add the same product to your cart. The problem is that some sites have multiple available options for a given product, and the visitor might want to add more than one of those to their cart in one login session.

 

[Lauren]

You mean without LiteMage, on that site, formkey is keep changing for one user? Do you know which extension did that?
you can try to add purge formkey, I haven't tried, not sure if works or not.

                <formkey>
                    <access>private</access>
                    <purge_tags>cart</purge_tags>
                    <!-- This is a composite grouping. The purge events for the blocks in this grouping are
                    a combination of existing purge event sets from other groupings. By using purge_tags
                    to reference these other groupings, you do not need to redefine these purge events.  -->
                </formkey>

 

[Lauren]

Is that because php session already timed out? You have a shorter session timeout for Magento?
If it is not caused by a special Magento extension that forces formkey change every time when cart updated; don't change config.xml, check this:
https://www.litespeedtech.com/suppo...magento_front-end_session_timing_out_too_soon

If the shorter session is intended, just update litemage default private ttl to be a little smaller than that value.

 

[LSUser12]

This wound up being an issue with the site's code closing prematurely, not litemage

So in an effort to illustrate this, I found something interesting. Edit: Each are 3 separate requests to add the same product to the cart (after reloading the product page)

With LiteMage Enabled and Secret Keys On

/checkout/cart/add/uenc/aHR0cDovLzE5OC45MS4zMC41MS9yZWNlc3NlZC1saWdodGluZy9hbGwtcmVjZXNzZWQtbGlnaHRpbmcvaG91c2luZ3MvZG1mLWRsZWk0Lmh0bWw_X19fU0lEPVU,/product/51282/form_key/dGNpr10YWLRNdQDC/?product=51282&related_product=&super_attribute%5B196%5D=4557&qty=1&return_url=&cpid=21077&block%5B%5D=options&awacp=1&no_cache=1

/checkout/cart/add/uenc/aHR0cDovLzE5OC45MS4zMC41MS9yZWNlc3NlZC1saWdodGluZy9hbGwtcmVjZXNzZWQtbGlnaHRpbmcvaG91c2luZ3MvZG1mLWRsZWk0Lmh0bWw_X19fU0lEPVU,/product/51282/form_key/dGNpr10YWLRNdQDC/?product=51282&related_product=&super_attribute%5B196%5D=4557&qty=1&return_url=&cpid=21077&block%5B%5D=options&awacp=1&no_cache=1

/checkout/cart/add/uenc/aHR0cDovLzE5OC45MS4zMC41MS9yZWNlc3NlZC1saWdodGluZy9hbGwtcmVjZXNzZWQtbGlnaHRpbmcvaG91c2luZ3MvZG1mLWRsZWk0Lmh0bWw_X19fU0lEPVU,/product/51282/form_key/dGNpr10YWLRNdQDC/?product=51282&related_product=&super_attribute%5B196%5D=4557&qty=1&return_url=&cpid=21077&block%5B%5D=options&awacp=1&no_cache=1

With LiteMage Disabled and Secret Keys On

/checkout/cart/add/uenc/aHR0cDovLzE5OC45MS4zMC41MS9yZWNlc3NlZC1saWdodGluZy9hbGwtcmVjZXNzZWQtbGlnaHRpbmcvaG91c2luZ3MvZG1mLWRsZWk0Lmh0bWw_X19fU0lEPVU,/product/51282/form_key/litemagefmkeylmg/?product=51282&related_product=&super_attribute%5B196%5D=4557&qty=1&return_url=&cpid=21077&block%5B%5D=options&awacp=1&no_cache=1

/checkout/cart/add/uenc/aHR0cDovLzE5OC45MS4zMC41MS9yZWNlc3NlZC1saWdodGluZy9hbGwtcmVjZXNzZWQtbGlnaHRpbmcvaG91c2luZ3MvZG1mLWRsZWk0Lmh0bWw_X19fU0lEPVU,/product/51282/form_key/litemagefmkeylmg/?product=51282&related_product=&super_attribute%5B196%5D=4557&qty=1&return_url=&cpid=21077&block%5B%5D=options&awacp=1&no_cache=1

/checkout/cart/add/uenc/aHR0cDovLzE5OC45MS4zMC41MS9yZWNlc3NlZC1saWdodGluZy9hbGwtcmVjZXNzZWQtbGlnaHRpbmcvaG91c2luZ3MvZG1mLWRsZWk0Lmh0bWw_X19fU0lEPVU,/product/51282/form_key/litemagefmkeylmg/?product=51282&related_product=&super_attribute%5B196%5D=4557&qty=1&return_url=&cpid=21077&block%5B%5D=options&awacp=1&no_cache=1

... That seems fairly odd to me. The unique secret key is being replaced by "litemagefmkeylmg" when LiteMage is disabled. Why is that?

 

[Michael A]

For others who may be wondering,

The issue was being caused by Organic Internet's Simple Configurable Products extension
(<OrganicInternet_SimpleConfigurableProducts>)

Adding "no_cache" to the "Do-Not-Cache GET Paramaters" comma-separated list under "User-Defined Cache Rules" in Litemage's Configuration should resolve this issue.

 

[Harneet Singh]

Hi Michael,

I have similar problem, I have extension AW product questions and form_key has replaced value to litemagefmkeylmg. When I submit the form nothing happens. It's post request. please help

Thanks in Advance!

 

[jhuck]

I spent hours searching for this answer, the suggestions here did not fix... I actually have 3 separate extensions that extend my product options. So it was going to be a nightmare to find which and where to hole punch... Only when I did a google search for "litemagefmkeylmg" (only 2 search returns?) did I bump into a post from Lauren that suggested someone use an HTML Minifier. Bam, worked like a charm... It drops most of the hard to find esi:include tags... Saved me HOURS & HOURS