I've just upgraded to Magento v1.9.3.4 and have Enabled Form Key Validation On Checkout as recommended. Magento also advices:
Important! Enabling this option means that your custom templates used
in checkout process contain form_key output. Otherwise checkout may
not work.
However, even though we're using Idev_OneStepCheckout module which does not have <?php echo $this->getBlockHtml('formkey') ?> in any of it's templates our checkout still works. And I can complete a purchase.
Am I testing it correctly, could the upgrade have failed some how? Perhaps, I should not be worried as everything is working but I don't understand why when our template don't include the form_key output.
I've searched the base directory and can see where the formkey is used in each of these templates, which are almost all overridden in our theme or another extension:
app/design/frontend/base//default/template/catalog/product/view.phtml:43:
app/design/frontend/base//default/template/checkout/cart/shipping.phtml:112:
app/design/frontend/base//default/template/checkout/cart.phtml:50:
app/design/frontend/base//default/template/checkout/multishipping/billing.phtml:94:
app/design/frontend/base//default/template/checkout/multishipping/overview.phtml:34:
app/design/frontend/base//default/template/checkout/multishipping/shipping.phtml:129:
app/design/frontend/base//default/template/checkout/onepage/billing.phtml:204:
app/design/frontend/base//default/template/checkout/onepage/login.phtml:69:
app/design/frontend/base//default/template/checkout/onepage/payment.phtml:40:
app/design/frontend/base//default/template/checkout/onepage/shipping.phtml:144:
app/design/frontend/base//default/template/checkout/onepage/shipping_method.phtml:46:
app/design/frontend/base//default/template/customer/address/edit.phtml:42:
app/design/frontend/base//default/template/customer/form/edit.phtml:33:
app/design/frontend/base//default/template/customer/form/login.phtml:42:
app/design/frontend/base//default/template/customer/form/newsletter.phtml:34:
app/design/frontend/base//default/template/oauth/authorize/form/login-simple.phtml:42:
app/design/frontend/base//default/template/oauth/authorize/form/login.phtml:39:
app/design/frontend/base//default/template/opc/customer/form/login.phtml:54:
app/design/frontend/base//default/template/opc/onepage/login.phtml:14:
app/design/frontend/base//default/template/persistent/checkout/onepage/billing.phtml:202:
app/design/frontend/base//default/template/persistent/checkout/onepage/login.phtml:75:
app/design/frontend/base//default/template/persistent/customer/form/login.phtml:41:
app/design/frontend/base//default/template/review/form.phtml:31:
app/design/frontend/base//default/template/sales/reorder/sidebar.phtml:41:
app/design/frontend/base//default/template/sendfriend/send.phtml:74:
app/design/frontend/base//default/template/wishlist/sharing.phtml:33:
app/design/frontend/base//default/template/wishlist/view.phtml:42:
app/design/frontend/base//default/template/wishlist/view.phtml:56:
Best Answer
if
Enable Form Key Validation On Checkoutin backend. It will check conditionisFormkeyValidationOnCheckoutEnabled()in your core fileapp/code/core/Mage/Checkout/controllers/OnepageController.php.I am sure you are overwrite the
app/code/core/Mage/Checkout/controllers/OnepageController.phpin your checkout or third-party module.So you need to add the above condition in your overwrite or third party module files for following action.
Note : dont forgot to add
<?php echo $this->getBlockHtml('formkey') ?>in your themes.Important : Any one overwrite checkout also check the condition in your file.