Read magento 2.3 invalid form key for more information.
This is one of the most common problems that Magento developers have to face. Specifically, you can’t log in to the Magento admin. At the same time, you get the following message “Invalid Form Key. Please refresh the page” in the screen. Here is the solution.
There are a few ways to handle this issue:
1st method: Adjusting the ‘max_input_vars’ to be greater than a 1000 and change server configuration.
At first, to prevent the server from opening up to the DDOS attacks, we don’t modify this server configuration, but apply the other suggestions and extend the Magento controller. Nevertheless, this matter goes beyond just fixing the save category method of the controller.
After several months, it comes out with another problem – we couldn’t search the category either. If you modify a product – changing its position for instance, then try to search the category, it will appear the “Invalid Form Key. Please refresh the page” error.
This error emerges since the nonce key that is supposed to be passed with the search through Ajax is being truncated due to the same 1k POST limit. Therefore, when it checks for the key and find that it doesn’t exist, you are not allowed to proceed with the search. As a result, you must not only fix the search via another controller overwrite but also change the server configuration for the admin panel.
Finally, we decide to increase the admin only max_input_var by placing this in the WHM’s .conf instead of implementing Magento overwrites:
<LocationMatch "/(index\.php/)?admin/"> <IfModule mod_php5.c> php_value max_input_vars 75000 </IfModule> </LocationMatch>
2nd method: Removing the setting without access to the admin panel
This error might also occur as the cookie domain in System > Configuration > Web > Cookies is unlike the real site domain.
In order to diminish the setting without access to the admin panel, you have to use the following SQL query on the MySQL console or in a client like phpMyAdmin:
DELETE FROM core_config_data WHERE path='web/cookie/cookie_domain';
Then, clear the cache. If you are using the default file-based cache backend, please remove all of the directories below var/cache.
Finally, once you can log in to the admin again, set the correct cookie domain for each website or store (E.g.: .abc.com for abc.com, www.abc.com, and all other subdomains)
If you are using n98-magerun (recommended), the same can be accomplished with:
n98-magerun config:delete web/cookie/cookie_domain n98-magerun cache:clean config
Searches related to magento 2.3 invalid form key