“invalid form key. please refresh the page” – cannot login to admin panel

The question:

I regularly visit my site to make sure its working and noticed that images for products were not appearing, thinking it was a problem with indexing cache I tried to login to the admin panel and received the error:

“invalid form key. please refresh the page”

"invalid form key. please refresh the page" - cannot login to admin panel

Other symptoms are customers could not add products to cart and extremely slow performance.

There are no errors in the logs (/var/logs)

What additional steps should I perform to resolve this issue?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

It also happens if the cookie domain in System > Configuration > Web > Cookies is different from the actual site domain.

To remove the setting without access to the admin panel:

  1. use the following SQL query on the MySQL console or in a client like phpMyAdmin:

    DELETE FROM core_config_data WHERE path='web/cookie/cookie_domain';
  2. clear the cache. If you are using the default file based cache backend, delete all directories below var/cache.

Then as soon as you can log in again, set the correct cookie domain for each website or store (Example: .example.com for example.com, www.example.com and all other subdomains)

If you are using n98-magerun (and you should!), the same can be accomplished with:

n98-magerun config:delete web/cookie/cookie_domain
n98-magerun cache:clean config

Method 2

I am posting the question / answer because I couldn’t find anything relevant.

The issue was that the drive on which my magento installation resides was full. I freed up some room, clear the /var/session and /var/cache and everything went back to normal.

Method 3

There are 3 solutions:

  1. Use these commands in phpmyadmin

    DELETE FROM core_config_data WHERE path=’web/cookie/cookie_domain’;

    DELETE FROM core_config_data WHERE path=’web/cookie/cookie_path’;

Now Try to login.

2.Delete everything in var folder and then check if it works.

3.Replace the .htaccess file with sample .htaccess file and then try to login the admin.

Hope it help you.

Method 4

In my case the problem seems to be because I’ve created the admin user using n98-magerun with an user that cannot write on magentofolder/var and used the fallback folder /tmp/magento instead.

I just deleted my admin user and executed a sudo -iu OTHERUSER(user that owns the magento folder) and ran n98-magerun admin:user:create again to create my user.

UPDATE: In another case, the admin url has being visited without www. syntax, and the cookie settings was using www. Just putting the www. in the admin url solved the problem. 😉

Method 5

There are two cases of the cookie configuration that could be obstructing the session functionality.

The domain of the cookie does not match, or the protocol (ssl or not) here is what it looks a request where the cookie is set as “secure” but its not using an http ssl url:

"invalid form key. please refresh the page" - cannot login to admin panel

to fix them both you just have to run following:

    DELETE FROM core_config_data WHERE path='web/cookie/cookie_secure';
    DELETE FROM core_config_data WHERE path='web/cookie/cookie_domain';

and then clear the cache. for file based cache:

    rm -Rf var/cache/mage--*

for redis:

redis-cli flushall

Method 6

Another possible, somewhat obvious, problem to check first: if your site uses SSL, make sure you’re not using the http protocol for your admin page; you should be using https. e.g. https://example.com/admin

Method 7

Along with the above step of clearing cache, i also had to follow the below article and set the session data information in correct path by following the below steps

Ref article


I fixed it by changing the session.save_path to place it in the VM.

Change the file app/etc/local.xml

replaced with below

Then it started working. Also at times you cannot really tell the issue, thus it is important you enable error logging. Enable this by referring to following article


Method 8

Clear cookies and cache. Open admin panel in incognito mode.

Method 9

I fixed it by

1.Clear browsing data > ctrl+shift+del

2.Clear cookie settings “Sites that should never use cookies” > chrome://settings/cookies

“invalid form key” (chrome browser)

Method 10

Hi could something explain the solution to this problem without using it language. Honestly you might aswel be speaking a different language. We can all do that about things we know about but it doesn’t help people with the problem, just causes further confusion.

Method 11

This is known issue generally comes after applying patch SUPEE-7405 included in Magento release. It can be solved by adding below code in file – app/code/local/Mage/Core/Model/Session.php

public function validateFormKey()
    if (!($formKey = $_REQUEST['form_key']) || $formKey != $this->getFormKey()) {
        return false;
    return true;

This file might not exist in your repository so copy it from app/code/core/Mage/Core/Model/Session.php and paste it in app/code/local/Mage/Core/Model/Session.php After that add above function in file because it may be missing in core file.

Also clear your browser cache and cookies. Clear all files in Magento var/cache and var/session folders contents. Then login to your admin panel.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment