Auth0 Home Blog Docs

Getting an Invalid CSRF token error during password reset



A customer is telling me that he “can’t change his password” using the “forgot password” link/flow via Lock. I am not sure about what’s wrong, if I try the procedure myself it works like a charm and he can’t explain exactly what’s doing.

The only thing I see Auth0’s logs is: “Invalid CSRF token” but have on idea on what may be causing it. Obviously the customer is doing something unexpected, but do you have any idea on what may be causing it?


I’m able to reproduce the issue if I intentionally do something bad, more specifically, if after having navigated to the hosted reset password page I clear all the cookies through the browser developer tools and proceed to submit the new password then I do get the Invalid CSRF token in the error logs.

I would say it’s safe to assume that the end-user in question is not doing something similar on purpose, but the likely cause may indeed be the fact the necessary cookies are either not being correctly set or then not being correctly sent. If the end-user is somewhat technical you can consider asking him to provide an HAR file of the whole process through which you could confirm if it’s indeed cookie related.