Form submission CSRF issues in Magento

Magento now includes CSRF (Cross-Site Request Forgery) protection on publicly available forms such as the new user registration form. The goal of this is to make it impossible for anyone to POST to an URL without first visiting the corresponding form page. A token is supplied on this page that is sent along with the rest of the form to the server. The server validates the correctness of the token and responds in a sensible way if the token is correct. If the token is not however, the server ignores the POST request.

Adding CSRF token to a form

This feature has been added to the latest Magento version. The CSRF token is supplied to forms in the PHTML template files. These files however are often overwritten by themes or custom templates. To fix problems regarding missing CSRF tokens, make sure that the following line (or an equivalent one) is present in between the

<form> tags of the corresponding form.

Lines of PHP and HTML code of a PHTML file including the CSRF token protection.
Addition of the CSRF token hidden field in the user registration form

A typical URL on which this problem could occur is the user creation URL /customer/account/create/. When the form on this page is POSTed, the CSRF token is checked. When it is incorrect, the page responds with a 301 – Moved Permanently header and a Location header that redirects to the original form. The user however does not take notice of this and just sees the original form again without any error messages or whatsoever.


This problem illustrates some of the shortcomings of Magento. Simple security measures break the framework because of the use of low-level HTML instead of more abstract functions that take care of this. The recently announced update of Magento that solved 10 security problems has upset a lot of developers because of its breakage of backwards compatibility. In the meanwhile most extension manufacturers have solved problems regarding the updates but the hours of work of developers and testers that are lost are uncountable. Hopefully Magento 2 will be somewhat more elegant in that sense.