Auth0 PHP SDK: Invalid state

I know this problem may have been discussed a lot in these forums but I can’t seem to find an answer that fixes this problem.
I’m using the auth0 PHP SDK and am using a lot of the code from the quickstart guide for PHP.
The problem is, when I attempt to login by pressing the sign in button on my page, I get taken to a blank page with an error in the console of my PHP develpment server. The error is as follows:

127.0.0.1:59994 [500]: GET /callback.php?code=jDjrZOQz-Ts7lKmG3CjYXTrGZA-XP0zPkFOl6-od4eWpW&state=fdf4f0369232d4e5a2a208e2058292f0 - Uncaught Auth0\SDK\Exception\StateException: Invalid state in /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Exception/StateException.php:24
Stack trace:
#0 /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Auth0.php(322): Auth0\SDK\Exception\StateException::invalidState()
#1 /home/npatrick/Code/artichoke3d/callback.php(15): Auth0\SDK\Auth0->exchange()
#2 {main}
  thrown in /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Exception/StateException.php on line 24

The result I was hoping for was to see my index.php page with a name and email showing in the place of the “sign in” button.
here is my index.php:

    <?php
    $_SESSION["redirect_url"] = "http://127.0.0.1:3000";
    require 'vendor/autoload.php';
    (Dotenv\Dotenv::createImmutable(__DIR__))->load();
    $auth0 = new \Auth0\SDK\Auth0([
      'domain' => $_ENV['AUTH0_DOMAIN'],
      'clientId' => $_ENV['AUTH0_CLIENT_ID'],
      'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
      'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
    ]);
    if ($session === null) {
      $_SESSION['auth0__webauth_state'] = 123456;
      echo '<a class="loginButton" href="http://127.0.0.1:3000/login.php">Sign in</a>';
    } else {
      echo '<button onclick="myFunction()" class="dropbtn">' . $session->user["email"] . '</button><img class="profileImg" src="', $session->user["picture"] . '" height="32px" width="32px">';
    }

    ?>

login.php:

<?php
require 'vendor/autoload.php';

(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
$auth0->clear();
header("Location: " . $auth0->login("http://127.0.0.1:3000/callback.php"));
exit;
?>

callback.php

<?php
declare(strict_types=1);
require 'vendor/autoload.php';
(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
$auth0->exchange(ROUTE_URL_CALLBACK);
header("Location: " . $_SESSION["redirect_url"]);
exit;
?>

logout.php:

<?php
require 'vendor/autoload.php';
(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
header("Location: " . $auth0->logout($_SESSION["redirect_url"]));
exit;
?>

If you notice massy or inconsistent parts of my code, that is because I’m using bits and pieces copied from the quickstart guide and I plan to clean it up after I get a basic login system working. Also, I’m pretty new to this Auth0 stuff so sorry if this is a really dumb question.

1 Like

I appreciate what you did!!

I posted a question, not an answer

Does anybody have any ideas?

Running into a similar issue. I’ll let you know if I find a solution.