Magento 1.9 – Bypass Form Key to Add Simple Product to Cart

addtocartcartform-keymagento-1.9

Magento CE 1.9.0.1

Just upgraded from CE 1.7 and our links that we previously used to add products to cart no longer work.

Examples:
http://www.website.com/checkout/cart/add?product=215&qty=1
http://www.website.com/checkout/cart/add?product=215&qty=1&coupon=save20

Basically, the user is led to an empty cart.

I have tried implementing a module that overrides the Magento CartController with a custom module however it still does not work.

The proper way since CE 1.8 is to include a form key which is unique to each session. I wouldn't mind included this in the URL but we provide external links for our 3rd party affiliates that allow them to essentially sell our product on their site.

Is there a way to disable the form key? If not, is there a way to dynamically include it into a URL? Thank you.

Best Answer

I've had a similar issue; to address this, I created my own module and extended Mage_Checkout_CartController and overrode the addAction method. As you noticed the addAction method contains the following code: 

public function addAction()
{
    if (!$this->_validateFormKey()) {
        $this->_goBack();
        return;
    }
    ...
 }

Either disable the validateFormKey completely in this method, or have your affiliates add a query parameter (I used affiliate=1 in my example below) to their URL that you can check against so you don't disable this feature entirely.

(roughly) 

private function _validateAffiliate()
{
    $affiliate = $this->getRequest()->getParam('affiliate');
    return $affiliate == 1;
}

public function addAction()
{
    if (!$this->_validateFormKey() && !$this->_validateAffiliate()) {
        $this->_goBack();
        return;
    }
    ...
 }
Related Topic