Twitch Prime Loot OAuth CSRF Token Invalid

Publish Date:

If you are trying to claim Twitch Prime Loot, to log in, and after authorizing it fails with error “Forbidden - CSRF token invalid” it is because of a faulty/old cookie they do not clean up.

I inspected the cookies/storage of the website and found two id_csrf cookies. After removing one, only one was recreated and it worked.

You can remove all twitch related cookies, cookies of the twitch website, or just the one in question.

To remove only the one in question, when you are in the authentication process on the id.twitch.tv site,

  1. open the developer toolbar with F12
  2. open the Storage tab
  3. find the id_csrf cookie or cookies
  4. select them
  5. delete them (DEL key or right click context menu)
  6. refresh the page

The cookie in question:

Name Domain Path
id_csrf id.twitch.tv /oauth2