AWS cognito documentation change
Summary
Updated URLs and added CSRF cookie documentation
Security assessment
Adds documentation about CSRF protection cookies and corrects authentication URLs, but no evidence of addressing a specific vulnerability.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pools-managed-login.md b/cognito/latest/developerguide/cognito-user-pools-managed-login.md index e0ce5d2f8..a6d39066c 100644 --- a/cognito/latest/developerguide/cognito-user-pools-managed-login.md +++ b/cognito/latest/developerguide/cognito-user-pools-managed-login.md @@ -154 +154 @@ You can view your sign-in webpage with the following URL for the implicit code g - https://mydomain.us-east-1.amazoncognito.com/authorize?response_type=token&client_id=1example23456789&redirect_uri=https://mydomain.example.com + https://mydomain.auth.us-east-1.amazoncognito.com/authorize?response_type=token&client_id=1example23456789&redirect_uri=https://mydomain.example.com @@ -162 +162 @@ The following is an example response from an implicit grant request. - https://mydomain.example.com/#id_token=eyJraaBcDeF1234567890&access_token=eyJraGhIjKlM1112131415&expires_in=3600&token_type=Bearer + https://auth.example.com/#id_token=eyJraaBcDeF1234567890&access_token=eyJraGhIjKlM1112131415&expires_in=3600&token_type=Bearer @@ -219,0 +220,2 @@ Managed login and the hosted UI set cookies in users' browsers. The cookies conf + * A `csrf-state-legacy` cookie for session consistency, read by Amazon Cognito as a fallback when your browser doesn't have support for the `SameSite` attribute. +