I just did a fresh installation of Magento 1.9.0.1 and I am seeing some very odd behaviour with the customer login form.
In Chrome (version 36) the login form does not work. I am just redirected to the login page. There is no error message shown on the page. However, when I open a new Incognito Window, I am able to log in just fine. Thinking this was a cookie problem, I cleared out all my cookies from the browser and tried again and I got the same results. In both cases, I am able to log in to the admin panel without any issues.
I have also tried this in both Firefox and Safari. Firefox I would see the same thing happen (but not consistently and I could fix it by clearing the cookies) and I could not replicate in Safari.
I have never had an issue with this in any other version of Magento. Is there some kind of fundamental change in the way Magento handles cookies in version 1.9 and/or is there something I can do to make this more stable?
Best Answer
I had the same problem...
The answer is that your theme does not supply a variable called
form_key
.Just as stated above I have to add:
you add it right after
<ul class="form-list">
to each one of my
login.phtml
files for the theme.You may also have problems with updating the quantity of cart items
Here is the importance of
form_keys
:Since the beginning of time, Magento's backend contained a form key that protected against XSS attacks [1]. With Magento 1.8 the form key has entered the frontend for pretty much the same reason: to protect against form submission from another website, using your browser. a malicious attacker can add stuff to your cart while you're in a different browser tab or even complete an order for you. This relies on predictable URLs because the site will not have access to the actual HTML content in the browser tab where you have your Magento order waiting. Everything sent to the Magento store will however submit your cookies and thus use your session.
By adding a unique key to each form or to each link that generates action on the server, the URL or form content becomes no longer predictable. The form key is stored in the session data and validated upon submission to the server. If they don't match, you get a form key error and the action is not completed.