Solved: Checkout Not Working if Formkey Validation Turned On (After Applying Patches)

Recently I updated a client site to the latest version from to include all latest security and improvement patches. The site was using a customized RWD theme.

After the update everything worked pretty well, but in the admin there was a big message at the top that said for better security formkey validation on checkout needed to be enabled. This was apparently included with of SUPEE-9767 patch (and the CE release).

When form key validation enabled and then trying to complete an order during the checkout (as guest) it couldn’t get past the second step (delivery address and contacts). Just flashes but doesn´t advance to payment method step. When disabling the formkey validation from admin, everything worked, so the reason had to be somewhere in the formkey being not present.

To turn on or off form key validation on Magento, go in the menu like this:

System -> Configuration -> Admin -> Security

Turning on Magento formkey validation on checkout
Turning on Magento formkey validation on checkout

How to solve the problem, if form key validation set to Yes checkout process doesn’t work?

The solution is based on the assumption that your shop is using a custom theme that doesn’t have formkey present in every file that it is needed. This can be solved easily with one single command through SSH (or do it manually if you like, file by file).

Jump to the solution (please do this on a development copy of your Magento store first, then if successful, apply on the live site)

  1. connect via SSH to your Magento store and navigate to the installation directory of your Magento
  2. to be safe create a tar.gz backup of your Magento installation
  3. Now test searching for files that need the formkey code update. Use this command
    find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml

    SSH window, looking for files containing shipping, payment
  4. If you see a similar result (files are found) then next step is to run the actual command that will add a line of code in all of these files that makes sure formkey is present wherever they (the forms they create) are being called out. The command is
    find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
      | xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'
  5. The command just executes and doesn’t have any output in your SSH console.
  6. Go to your Magento admin (System -> Cache Management) and clear and flush Magento cache and Flush Javascript/CSS cache.
  7. Refresh all cache types.


What it does is add <?php echo $this->getBlockHtml(“formkey”) ?> in every file right before the </form> closing tag that it finds from app/design/frontend/ that are containing shipping, billing, shipping_method or payment in their filename.


This is what fixed the issue for my client’s site.

Helpful links that helped me with the solution:

Post Author: Tom Pai