Hi @stanley 
Invalid State errors occur when the underlying Auth0 PHP SDK cannot verify the transient ‘state’ cookie set on the device, which occurs when login() is called, after your user returns from authenticating with Auth0’s Universal Login. This comparison happens (or should be happening) during your app’s callback route.
You’re quite right about firing off login() twice potentially causing those, as you’re overwriting the transient state cookie on the device each time it’s fired. This could cause a mismatch. We recommend this check-on-login-route approach in our Quickstart example for that reason.
As far as why you’re seeing elevated cases of Invalid State errors within your app, we’ll need to dig into your application’s structure more. If you would, please create a new thread detailing how you have your app configured, your routing, etc. so we can troubleshoot that together. Thanks!