By using AWS re:Post, you agree to the Terms of Use

Cognito Hosted Login Page Redirects to /error when multiple Sign In windows are open


I'm using the Cognito hosted login page to authenticate into my application. The response_type is code and I'm generating a login url that includes the following query parameters: client_id, redirect_uri, response_type, scope and state. Under a specific set of circumstances, when clicking Sign In on the log in page, it will 302 Redirect to [my-app].[my-region] (note there's no query string) with a 400 Response Code. Typically clicking Sign In will navigate to my callback page where the authentication is completed, but in this instance it never hits anything in my application, it redirects from Amazon to Amazon. This is the specific sequence in order to reproduce:

  • Navigate to the application and sign in, then sign out. You should be redirected to a screen with a button that says "Sign In as [email address]" (Not the screen with fields for username and password. This does not seem to occur when that screen is used to log in).
  • Before clicking the Sign in button, copy the URL, and navigate to the same URL in a new tab or window.
  • In that window, click the Sign In button.
  • Go back to the original window
  • Click the Sign In button
  • You will get a 302 Redirect to the [my-app].[my-region] page

I've tried logging locally in my application, but like I said it never hits anything on my side. If there is logging on the AWS side, I don't know where to look.

Please let me know if this is a known issue, if there is a solution, or if any more information is needed.

Thanks in advance

1 Answers

I found the issue, and I believe it's a bug with the hosted UI.

The Sign In page seems to rely on an XSRF-TOKEN cookie . If you open up two hosted UI windows that are both on the "Sign In as..." screen, even if they have different "state" query variables, the cookie value for XSRF-TOKEN for both windows will be the same. It appears that once you log in, that XSRF token becomes invalid. The hosted UI does not change this value, so if you try to login again on the second window, it will try to use the invalid token, fail, and redirect you to the /error page. If you hit the back button (or refresh the page before logging in), it will re-generate the XSRF-TOKEN and unblock the authentication problem. Hopefully this helps someone else facing this issue. I am unsure how I can report this as a bug, so if anyone could reach out to me with that info that would be awesome.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions