Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why does AWS Cognito Managed Login return "Invalid CSRF token" when login is attempted from an earlier tab/window?
Hello,
I'm using AWS Cognito Managed Login for authentication in my application. I'm encountering an issue related to CSRF protection when multiple login pages are opened in separate tabs.
Here’s what happens:
- I open the Cognito Managed Login page from my application in Tab A/Window A.
- Then, I open another login page (same Managed Login) in a new Tab B/Window B.
- After that, I go back to Tab A/Window A and try to log in.
- Cognito returns: "Invalid CSRF token" error.
What I Understand (So Far):
- Cognito sets a XSRF-TOKEN cookie on its domain (auth.us-east-1.amazoncognito.com) during login.
- This token is associated with a state parameter and checked when redirecting back.
- Opening a second Cognito login page causes a new token to overwrite the original (since cookies are shared across pages).
- When the user logs in from the first page, the stored token and the browser cookie no longer match → causing CSRF validation to fail.
Still, I’m trying to understand how to avoid this error in a multi-tab/multi-page scenario.
Thanks in advance!
Example Managed Login URL: https://avp***.auth.us-east-1.amazoncognito.com/login?client_id=...&prompt=login&redirect_uri=...&response_type=code&scope=openid+profile+aws.cognito.signin.user.admin&state=...
- Newest
- Most votes
- Most comments
The "Invalid CSRF token" error you're experiencing with AWS Cognito Managed Login in a multi-tab scenario is related to how Cognito handles session cookies and CSRF protection across browser tabs.
When you open the Cognito Managed Login page, it sets a session cookie that includes CSRF protection. This cookie is valid for the custom domain and all its subdomains. When you open a new tab with another login page, it overwrites the existing cookie with a new one, as cookies are shared across tabs for the same domain.
The issue occurs because the original tab still has the old CSRF token in its state, but the cookie now contains a new token. When you attempt to log in from the original tab, the tokens don't match, resulting in the "Invalid CSRF token" error.
To avoid this error in a multi-tab scenario, you have a few options:
-
Encourage users to use a single tab for login: Educate your users to avoid opening multiple login tabs simultaneously.
-
Implement a refresh mechanism: When a user switches back to an older tab, you could implement a mechanism to refresh the login page, ensuring it has the most recent CSRF token.
-
Use separate subdomains: If possible, configure your Cognito user pools to use separate subdomains for different parts of your application. This can help isolate the cookie scope, though it may not be practical for all use cases.
-
Handle the error gracefully: Implement error handling in your application to detect this specific error and provide a user-friendly way to retry the login process, possibly by refreshing the page or redirecting to a fresh login URL.
It's important to note that this behavior is part of Cognito's security measures to prevent CSRF attacks. While it can be inconvenient in multi-tab scenarios, it's designed to protect users from potential security vulnerabilities.
Sources
Configuring a user pool domain - Amazon Cognito
The managed login sign-in endpoint: /login - Amazon Cognito
Managed login and federation error responses - Amazon Cognito
Implement a refresh mechanism: When a user switches back to an older tab, you could implement a mechanism to refresh the login page, ensuring it has the most recent CSRF token.
How do you do this when the authentication is managed by AWS ?
Relevant content
- asked a month ago
