I see this on occasion with clients who let their browsers auto-fill their logins. I.e. the return_url is either invalid or is not valid for that account. I always suggest that they simply strip any admin login down to the example.com/admin.php (adjusted for your site). I generally have NOT seen it when someone tries to access an admin page but their session has expired which then causes the redirect to login with the return_url being the page they were on.
Hope that helps.
Our customers complained about CSRF attack error when login.
I can reproduce this error on https sites when login is made with popup (My account->Sign in) when "Remember me" option is offered and checked.
Procedure is this:
- sign in as customer with popup login on https site, check "Remember me" box
- save your password with username
- sign out
- clear cookies and sessions in browser
- sign in as customer with popup login and use browser saved username and password
The result is an error: Access denied. Possible CSRF attack. I reproduced this in latest Chrome, Edge and Firefox browser.

Does anyone have a solution to this?
Thank you!