MDVA-40311: “Invalid security or form key” error after login into Admin if custom admin path is configured

The MDVA-40311 patch fixes the issue where the Admin user gets an error message: Invalid security or form key. Please refresh the page, after login into the Admin if the custom admin path is configured and the secret key is enabled. This patch is available when the Quality Patches Tool (QPT) 1.1.7 is installed. The patch ID is MDVA-40311. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.4.

Affected products and versions

The patch is created for Adobe Commerce version:

  • Adobe Commerce (all deployment methods) 2.4.2-p2

Compatible with Adobe Commerce versions:

  • Adobe Commerce (all deployment methods) 2.4.2-p2 - 2.4.3-p1
NOTE
The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.

Issue

Admin user gets an error message: Invalid security or form key. Please refresh the page, after login into the Admin if the custom admin path is configured and the secret key is enabled.

Steps to reproduce:

  • Log in as the Admin user using a valid username and password.

Expected results:

User is able to log in without any error message.

Actual results:

Invalid security or form key. Please refresh the page error message is displayed.

Apply the patch

To apply individual patches, use the following links depending on your deployment method:

To learn more about Quality Patches Tool, refer to:

For info about other patches available in QPT, refer to Patches available in QPT in our developer documentation.

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a