Fixed: “Invalid Form Key. Please Refresh The Page” in Magento 2

Facing the Invalid Form Key error in Magento 2? Read on this blog post till the end to find the possible reasons and solutions.

In Magento 2, a form key (also known as a form nonce) is a security feature to prevent Cross-Site Request Forgery (CSRF) attacks, in which a malicious site or software tries to make unintended requests to the site where the user is authenticated.

The form key in Magento 2 ensures that the request is from the end-user and is not a part of any malicious activity.

For each session, a unique form key is generated and embedded into the form as an invisible field. And the same is matched with the user’s request to confirm legitimacy of the request.

Magento 2 Invalid Form Key Error – Possible Reasons

In many cases, you may encounter the “Invalid security or form key. Please refresh the page.” error in Magento 2, which may look like:

Here are some common reasons for Magento 2 Invalid Form Key error:

• You’re using an outdated version of Magento 2
• Incorrect max_input_vars values (too low for Magento 2)
• Problems with cookies and sessions due to mismatch of base URL during Migration

Now, let’s go through the possible ways to solve “Invalid Form Key. Please Refresh The Page” in Magento 2.

How to Solve “Invalid Form Key. Please Refresh the Page” in Magento 2?

Here are some possible solutions to the Magento 2 Invalid Form Key Error:

• Solution 1: Modify the Magento Installtion Directory File
• Solution 2: Increase the max_input_vars Value
• Solution 3: Change the Magento Base URL

Solution 1: Modify the Magento Installtion Directory File

First, back up the root/vendor/magento/module-backend/App/Action/Plugin/Authentication.php file.

Then, open the file and disable the following entities:

$requestParts = explode('/', trim($request->getRequestUri(), '/'), 3);
$baseUrlPath = trim(parse_url($this->backendUrl->getBaseUrl(), PHP_URL_PATH), '/');
$routeIndex = empty($baseUrlPath) ? 0 : 1;
$requestUri = $this->_url->getUrl($requestParts[$routeIndex]);

And add the following entry:

$requestUri = $this->_url->getUrl($this->_url->getStartupPageUrl());

You’ll get the following output:

      // Checks, whether secret key is required for admin access or request uri is explicitly set
        if ($this->_url->useSecretKey()) {
#            $requestParts = explode('/', trim($request->getRequestUri(), '/'), 3);
#            $baseUrlPath = trim(parse_url($this->backendUrl->getBaseUrl(), PHP_URL_PATH), '/');
#            $routeIndex = empty($baseUrlPath) ? 0 : 1;
#            $requestUri = $this->_url->getUrl($requestParts[$routeIndex]);
            $requestUri = $this->_url->getUrl($this->_url->getStartupPageUrl());
        } elseif ($request) {
            $requestUri = $request->getRequestUri();
        }

        if (!$requestUri) {
            return false;

Now, check if the Magento 2 Invalid Form Key error reproduces or not. If it does, try the next solution.

Solution 2: Increase the max_input_vars Value

One possible reason for the Magento 2 “Invalid security or form key. Please refresh the page.” error can be an incorrect max_input_vars value.

For the php.ini or .user.ini file, use:

max_input_vars = 10000

For the .htaccess file, use this code

php_value max_input_vars 10000

Now, check if the Magento 2 Invalid Form Key error reproduces or not. If it does, try the next solution.

Solution 3: Change the Magento Base URL

The next solution is to change the base URL of Magento. You can do it in two ways:

• Using phpMyAdmin
• Using CLI

Here’s how to change Magento 2 Base URL using phpMyAdmin:

Log into phpMyAdmin and find the core_config_data table in the database.

Now, change the web/unsecure/base_url value to https://127.0.0.1

Click “Go.”

(Make sure to use the correct protocol as per your site i.e. http:// or https://)

Here’s how to change Magento 2 Base URL using CLI:

Use the following command to change the Magento 2 Base URL:

php bin/magento setup:store-config:set --base-url="http://127.0.0.1:8080/"

Make sure to change the protocol asper your site i.e. http:// or https://

Now, run the following command to flush the cache:

php bin/magento cache:flush

And remove the cache folder by using the following command in the root Magento 2 directory:

rm -rf var/cache var/generation var/page_cache

That’s it!

In case you’re still experiencing the Magento 2 Invalid Form Key error, it’s time to consult an expert. You can contact us now!