My question is similar to other topics I’ve seen here like Invalid state (error 500) after PHP/SDK redirect, but I haven’t found a solution that works yet. So far I’ve tried force disabling cache on callback.php, outright disabling state_handler = false in the config, different responseTypes.
Which SDK does this apply to? (Ex: auth-node)
Using the PHP sdk installed with composer
Which verison of the SDK you are using? (Ex: 1.0)
5.3.0
Which version of the platform are you facing this error on? (Ex: Node 6.4)
PHP Version 7.2.7
Was this code working before? Have you made any changes in the dashboard recently?
No
Please capture and attach the stacktrace, it helps a lot!
Here’s the php error message, hope that helps.
Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /customers/c/4/d/domain.com/httpd.www/vendor/auth0/auth0-php/src/Auth0.php:511 Stack trace: #0 /customers/c/4/d/domain.com/httpd.www/vendor/auth0/auth0-php/src/Auth0.php(434): Auth0\SDK\Auth0->exchange() #1 /customers/c/4/d/domain.com/httpd.www/callback.php(20): Auth0\SDK\Auth0->getUser() #2 {main} thrown in /customers/c/4/d/domain.com/httpd.www/vendor/auth0/auth0-php/src/Auth0.php on line 511
Please share the code that is causing the error. (in vendor/auth0/auth0-php/src/auth0.php:511)
if (! $this->stateHandler->validate($state)) {
throw new CoreException(‘Invalid state’);
}
Hi @philipaarseth … sorry for the trouble here but we should be able to get you up and running.
TL; DR on state validation … a value is generated in the SDK, saved in a PHP session, then validated in the callback. This helps to mitigate CSRF attacks and, if desired, can be used to maintain the state of your application. As you mentioned, this was added fairly recently to the SDK and is automatic if you use the provided methods.
Nothing happens on the Auth0 server with state, it’s just received and then sent back to the callback URL. The main things to check in your app are:
Are you generating a state and sending that to Auth0? If you’re using Auth0::login() without passing in a value for $state then you are.
Are you storing that state in the correct place ($_SESSION['auth0__webauth_state']). Again, that method above does this for you.
Are you checking what comes back from Auth0 in the state URL param with the correct storage location? I see Auth0::getUser() in your app code above so it looks like you are.
Debug that process all the way through and you should figure out where the state check is failing. There might also be environmental issues going on, though, and you can try working through our state validation troubleshooting guide for WordPress:
Some of that information is not applicable here but the debugging steps and edge cases might be.
I followed the Quickstart guide for php and it doesn’t mention state. It seems to me that state isn’t optional, and that should probably be reflected in your reference documentation I couldn’t find it on the GitHub sample either https://github.com/auth0-samples/auth0-php-web-app/tree/master/00-Starter-Seed. I also found the link you sent earlier, but I’m not using Wordpress, so I figured it didn’t apply to my use case.
That was a lot of explanation around what goes on behind the scenes but, if you’re using the built-in methods, then you don’t need to do anything extra. I wanted to point out a few other ways of logging in that might be causing the issue. The WP link is just some extra general troubleshooting steps that might be helpful in a PHP environment.
The Quickstart needs an update but what’s there should work out of the box and handle state behind the scenes. If not, which it sounds like it is not in your case, then the questions I asked above should direct you to the right place to debug.
I restarted the whole project using the sample and Quickstart, now everything works fine
Idk what I did wrong, but it doesn’t matter. Anyway, thanks for your assistance, Josh!