Home » Magento4 July 2011

Magento: How to disable / remove Secret Key from Admin URL?

A new secret key is created every time you login to Magento Admin. So, there will be a unique key (32 chars long) for each session of your Magento admin login. This key is appended to the admin URL as http://your-admin-url/key/743c37b1…adf6588/

This is basically added for security reason. In their release note, Magento say that they added secret key to URL for CSRF (Cross-site request forgery) Attack Prevention.

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

You can learn more about CSRF here:- http://en.wikipedia.org/wiki/Cross-site_request_forgery

Sometime you may want to access admin URL without the secret key. For this, you can disable the secret key from admin URL.

Here is how you do it:-

– Login to admin
– Go to System -> Configuration -> ADVANCED -> Admin -> Security -> Add Secret Key to URLs
– Select No
– Save Config

You are done. You will not see the secret key in admin URL nowonwards.

Hope this helps. Thanks.


Get New Post by Email

Find me on

FacebookTwitterGoogle+LinkedInRSS Feed
  • Thank man :) between disabling secret key will lead any security problem?

  • James Turle

    FYI – If you have a custom admin controller, you can set certain actions that do not require the key security check by adding the following to your controller:
    protected $_publicActions = array( ‘index’, ‘get’ );