magento 2.3 invalid form key

Invalid form key Magento 2.3

Rate this article

Share this article

Read Magento 2 search settings guide for more information.

magento 2.3 invalid form key

This is one of the most common problems that Magento developers have to face. Specifically, you can’t log in to the Magento admin. At the same time, you get the following message “Invalid Form Key. Please refresh the page” in the screen. Here is the solution.
magento 2.3 invalid form key

Add a search bar to Magento


There are a few ways to handle this issue:

1st method: Adjusting the ‘max_input_vars’ to be greater than a 1000 and change server configuration.

At first, to prevent the server from opening up to the DDOS attacks, we don’t modify this server configuration, but apply the other suggestions and extend the Magento controller. Nevertheless, this matter goes beyond just fixing the save category method of the controller.

After several months, it comes out with another problem – we couldn’t search the category either. If you modify a product – changing its position for instance, then try to search the category, it will appear the “Invalid Form Key. Please refresh the page” error.

This error emerges since the nonce key that is supposed to be passed with the search through Ajax is being truncated due to the same 1k POST limit. Therefore, when it checks for the key and find that it doesn’t exist, you are not allowed to proceed with the search. As a result, you must not only fix the search via another controller overwrite but also change the server configuration for the admin panel.

Finally, we decide to increase the admin only max_input_var by placing this in the WHM’s .conf instead of implementing Magento overwrites:

<LocationMatch "/(index\.php/)?admin/">
  <IfModule mod_php5.c>
    php_value max_input_vars 75000
2nd method: Removing the setting without access to the admin panel

This error might also occur as the cookie domain in System > Configuration > Web > Cookies is unlike the real site domain.

In order to diminish the setting without access to the admin panel, you have to use the following SQL query on the MySQL console or in a client like phpMyAdmin:

DELETE FROM core_config_data WHERE path='web/cookie/cookie_domain';

Then, clear the cache. If you are using the default file-based cache backend, please remove all of the directories below var/cache.

Finally, once you can log in to the admin again, set the correct cookie domain for each website or store (E.g.: for,, and all other subdomains)
If you are using n98-mage run (recommended), the same can be accomplished with:

n98-magerun config:delete web/cookie/cookie_domain
n98-magerun cache:clean config

Magento 2 custom search @ 9 USD per month

Searches related to Magento 2.3 invalid form key

Are you showing the right products, to the right shoppers, at the right time? Contact us to know more.
You may also like