Magento2: Add to Cart Form wrong Form Key in FPC

We have literally been looking into this today and are experiencing the same issue. Locally where we don't have a full FPC setup we have no issues. However on our dev/staging/live servers with varnish fully set up we see failed add to carts before JS is initialised.

We initially saw it sporadically but having come to the conclusion it was a form key issue not 10 minutes before finding this issue report, we identified FPC as the issue so the sporadic nature must come from seeing uncached pages sometimes (works, form key is right) and cached pages other times (doesn't, form key isn't right)

@alexgoodey , thank you for your report.
We were not able to reproduce this issue by following the steps you provided. Please provide more detailed steps to reproduce or try to reproduce this issue on a clean installation or latest release.

Not sure how else I can explain it. Herer are some screenshots.

1. Viewing a product page that is not yet in the FPC. Showing the form_key cookie value (in Chrome)
   

1. The page source of the above page view shows the correct form key value in the source
   

2. A second view (now that is in the FPC) of the same product page in an incognito window, showing the form_key cookie value (which, as expected, is different to the above as this is a completely different session)
   

3. The page source of the same product page in an incognito window shows the original form_key value not the one belonging to the current (incognito) session
   

@alexgoodey , thanks for you update.
We not reproduced this issue on fresh installiation Magento 2.2.2 CE with sample data. See attachments

Defaul browser window

Incognito browser window

The two form_key values should be different

Using developer tools won't demonstrate the problem as the Javascript updates the developer tools and this problem is only apparent before Javascript has fully executed. You need to view the page source (i.e. in chrome using "view-source:", which does not execute Javascript) to see the initial form_key that is loaded with the page (and is therefore used if the Add to Cart button is clicked before the Javascript has executed).

@alexgoodey, thank you for your report.
We've acknowledged the issue and added to our backlog.

Any update?

Experiencing the same problem in 2.2.4 and now in 2.2.5. Server we are using has and internal dns, server resolves with url http://magentotest, server centos 7 with apache.

Just to be able to test the cart, I had to comment out this code in Validator.php
` public function validate(\Magento\Framework\App\RequestInterface $request)

{

    $formKey = $request->getParam('form_key', null);

// if (!$formKey || $formKey !== $this->_formKey->getFormKey()) {
// return false;

// }

    return true;

}`

I have same issue. Any update? it is big problem

To make sure I understand the issue correctly, going to try and summarize:

1. form_key is a CSRF token
2. The content in the full page cache persists the form_key that was generated for the first request with a cold cache
3. The issue is not present once the JS initializes because it takes over form submission and it uses a different value than the form_key found in the initial DOM

Is that accurate?

It looks like the form_key in the add to cart form is changed by JS. But when you submit the form to fast it is not yet changed, so submitted with a cached form_key. I recorded it and can show you what is happening in the dom:

https://github.com/magento/magento2/pull/21007

2.3.2

I dont think there is any good way to resolve this issue.

• Disable post button until JS executed
• Turn form key into ESI (performance issue)

Have the same problem. Did anyone solved it or has a workaround?

I have solved the same issue and during tracing it I've found that the pageCache JS component was not added to page HTML. This component is responsible to create form_key.

After fixing the issue I have found that add to cart is working properly.

@ananth-iyer the patch you suggested is not working and it seems to be already there

We're experiencing a very similar issue too but the steps are a bit different to the ones raised by @alexgoodey .The site is a multi-store site and almost every time a user switches stores the issue is highly likely to appear when adding a cross sell item to cart ,the item is not added to bag and at time even without switching stores the issue appears.

We checked the form_key in normal mode and incognito mode and they all checks out to be different as expected

Preconditions
Magento EE 2.2.9 with products data
Full Page Cache enabled Fastly
Site is a multiple store

Steps to reproduce
version 1

• Open a browser window and navigate to a product page.
• Switch Store
• Add a cross sell item to cart

version 2

• Open a browser window and navigate to a product page.
• Add a cross sell item to cart

Expected result
Product must be added to cart

Actual result
Product page hangs ,product is not added to cart

Has anyone experience a similiar issue on a multi-store

Hi @engcom-Bravo. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

• [ ] 1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 2. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!

• [ ] 3. If the issue is not relevant or is not reproducible any more, feel free to close it.

• Join Magento Community Engineering Slack and ask your questions in #github channel.

Hello @alexgoodey
The issue is not reproducible on Magento 2.4-develop with Sample Data
The form_key values are different in two different browsers. Please see the screenshot

So, we have to close this issue.
Please feel free to comment, reopen or create new ticket according to the Issue reporting guidelines .
Thank you for collaboration.

@engcom-Bravo

I refer you to my earlier comment (using developer tools doesn't demonstrate the issue) - from almost 2 years ago!

https://github.com/magento/magento2/issues/13746#issuecomment-368498965

I can't believe this is the team who have made the Magento product!!!

@alexgoodey @onlinebizsoft
Thank you for your comments.
Sorry, I've acknowledged my mistake. The issue is still present in Magento 2.4-develop

:white_check_mark: Confirmed by @engcom-Bravo
Thank you for verifying the issue. Based on the provided information internal tickets MC-30171 were created

Issue Available: @engcom-Bravo, _You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself._

@magento-engcom-team any update on this issue. I am facing issue on Magento 2.3.3 . While adding product into cart with fpc+varnish enabled. Getting formkey invalid issue.

Same issue here, running 2.3.3, FPC is on - almost 2 years later... any solution guys?

Same issue here, running 2.2.10, FPC is on, anything I can do to help to solve?

Seems like following JS is updating form_key in the all forms. I believe we just need to make it load one of the first and issue will be solved.

https://github.com/magento/magento2/blob/9544fb243d5848a497d4ea7b88e08609376ac39e/app/code/Magento/PageCache/view/frontend/web/js/page-cache.js#L100-L126

https://github.com/magento/magento2/blob/9544fb243d5848a497d4ea7b88e08609376ac39e/app/code/Magento/PageCache/view/frontend/web/js/page-cache.js#L300-L303

Update: oh... i see we already have a PR with similar changes: https://github.com/magento/magento2/pull/27647

Hi @thiaramus. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

• 
  
  1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.
  
  

• 1. Verify that the issue is reproducible on 2.4-develop branch
     Details

     - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
     - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
     - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
• 1. If the issue is not relevant or is not reproducible any more, feel free to close it.

• Join Magento Community Engineering Slack and ask your questions in #github channel.

Hi @engcom-Golf. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

• 
  
  1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.
  
  

• 1. Verify that the issue is reproducible on 2.4-develop branch
     Details

     - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
     - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
     - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
• 1. If the issue is not relevant or is not reproducible any more, feel free to close it.

• Join Magento Community Engineering Slack and ask your questions in #github channel.