Auth0 PHP SDK: Invalid state

I know this problem may have been discussed a lot in these forums but I can’t seem to find an answer that fixes this problem.
I’m using the auth0 PHP SDK and am using a lot of the code from the quickstart guide for PHP.
The problem is, when I attempt to login by pressing the sign in button on my page, I get taken to a blank page with an error in the console of my PHP develpment server. The error is as follows:

127.0.0.1:59994 [500]: GET /callback.php?code=jDjrZOQz-Ts7lKmG3CjYXTrGZA-XP0zPkFOl6-od4eWpW&state=fdf4f0369232d4e5a2a208e2058292f0 - Uncaught Auth0\SDK\Exception\StateException: Invalid state in /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Exception/StateException.php:24
Stack trace:
#0 /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Auth0.php(322): Auth0\SDK\Exception\StateException::invalidState()
#1 /home/npatrick/Code/artichoke3d/callback.php(15): Auth0\SDK\Auth0->exchange()
#2 {main}
  thrown in /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Exception/StateException.php on line 24

The result I was hoping for was to see my index.php page with a name and email showing in the place of the “sign in” button.
here is my index.php:

    <?php
    $_SESSION["redirect_url"] = "http://127.0.0.1:3000";
    require 'vendor/autoload.php';
    (Dotenv\Dotenv::createImmutable(__DIR__))->load();
    $auth0 = new \Auth0\SDK\Auth0([
      'domain' => $_ENV['AUTH0_DOMAIN'],
      'clientId' => $_ENV['AUTH0_CLIENT_ID'],
      'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
      'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
    ]);
    if ($session === null) {
      $_SESSION['auth0__webauth_state'] = 123456;
      echo '<a class="loginButton" href="http://127.0.0.1:3000/login.php">Sign in</a>';
    } else {
      echo '<button onclick="myFunction()" class="dropbtn">' . $session->user["email"] . '</button><img class="profileImg" src="', $session->user["picture"] . '" height="32px" width="32px">';
    }

    ?>

login.php:

<?php
require 'vendor/autoload.php';

(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
$auth0->clear();
header("Location: " . $auth0->login("http://127.0.0.1:3000/callback.php"));
exit;
?>

callback.php

<?php
declare(strict_types=1);
require 'vendor/autoload.php';
(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
$auth0->exchange(ROUTE_URL_CALLBACK);
header("Location: " . $_SESSION["redirect_url"]);
exit;
?>

logout.php:

<?php
require 'vendor/autoload.php';
(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
header("Location: " . $auth0->logout($_SESSION["redirect_url"]));
exit;
?>

If you notice massy or inconsistent parts of my code, that is because I’m using bits and pieces copied from the quickstart guide and I plan to clean it up after I get a basic login system working. Also, I’m pretty new to this Auth0 stuff so sorry if this is a really dumb question.

2 Likes

I posted a question, not an answer

1 Like

Does anybody have any ideas?

1 Like

Running into a similar issue. I’ll let you know if I find a solution.

1 Like

Also running into this issue of intermittent invalid state exception. It makes for very bad UX.

Do the Auth0 staff have any ideas about this? Any workarounds?

For such a big enterprise company as Auth0, these forums reflect a lack of professionalism and technical knowledge on the part of the staff. They just give some BS answers that don’t address the problem and leave it up to users to solve their own problems and when they do, the staff just chimes in with “thank you!” Pathetic

1 Like

It look like they also don’t know how to handle this issue.

Hey all,

If you’re seeing the invalid state error, it’s generally because the state param in the application does not match the state param returned by Auth0 after the authentication.

This is typically the result of 2 authentication transactions running back to back, which creates two state params and results in a “mismatch” between the param in the response and the one expected in the application.

There’s a good thread about it here: