Possible Csrf Attack On Product Option Add

Hello Guys,

I am having a huge problem on product option add.

I have added 60 variantson a single option, although there are 60 more to add. But couldn’t add anymore because the after I hit the “SAVE” button, it redirects to dashboard and says “action denied : POSSIBLE CSRF ATTACKED”.

I have enable/disable the anti_csrf variable tue/false but in any case it is not working.

Please help me

Thank you

You can submit this issue to the bug tracker.


Maybe you have some restrictions on your server.

Please check post_max_size setting on your server and try to increase this to solve this issue.

Thank you.

[color=#282828][font=arial, verdana, tahoma, sans-serif]With the value of the [/font][/color]max_post_size setting, you should also increase the value of the max_input_vars[color=#282828][font=arial, verdana, tahoma, sans-serif] one. It should solve the problem.[/font][/color][color=#282828][font=arial, verdana, tahoma, sans-serif] [/font][/color]

Thank you. I will do that and let you know.

Thank you very much guys, It worked.

Appear to be i have the same issue when adding 100 options. However, the steps outlined above does not help. Does anyone has any suggestions?

I change them as following:

@ /usr/local/cpanel/3rdparty/etc/php.ini

post_max_size = 256M

max_input_vars = 2000

In fact the amount of input vars for 100 options can be greater than 2000

I have tryed "max_input_vars = 10000" and higher, but still no luck.

Have made the necessary settings changes as mentioned above, cannot add more than 70 options on any product without the CSFR attack error message...

Anyone have any other ideas?

When you set the value, can yu verify that it is set to the value you expect using ini_get('max_input_vars')?

I have increased the sizes of the attributes mentioned to silly values like "max_input_vars = 100000" and post_max_size = 1024M and yes verified in phpinfo() that the settings have taken...

I once managed to get 73 random items added as variables to an option but ever since they have failed... I have deleted cache (that's when it worked for 73 variants) all to pretty much no avail.

Very frustrating anyone got any ideas? I'm kind of shooting in the dark here


Ok after some serious messing around it seems I have found it, for anyone that might experience this check whether your server has suhosin hardened extension installed. I had to make some changes in there, I cannot say for sure which ones it was that helped it work but these are the changes I added to my php.ini

; Filtering Options
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 50000
suhosin.cookie.max_vars = 100
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 10000
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 100000
suhosin.post.max_vars = 10000
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 2000
suhosin.request.max_varname_length = 128
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128

Hope this helps someone out