Intermittent missing cookie issue resulting in unsuccessful logins

I read this post in detail: BadRequestError: checks.state argument is missing - #4 by schalk.neethling, but unfortunately it doesn’t help me at all.
We’re also running into (very intermittently),

checks.state argument is missing

We’re using “@auth0/nextjs-auth0”: “^1.9.0”, for a simple app.

Here’s the flow:

  1. User pulls up browser and navigates to our website
  2. On clicking login /api/auth/login, we’re redirected to our Auth0 tenant
  3. User provides credentials and hits login, GET on callback URL is called
  4. Occasionally, user is presented with a “checks.state argument is missing”

The problem here is when the GET on callback URL is called, request cookies like (pvisitor, nonce, state, code_verifier).
I noticed that in step 1, step 2 etc when I compare requests they are identical. When the error comes up I notice that in step 3 cookies were not passed in the request.

Additional information:

Hello there @shyam_p welcome to the community!

Thanks for the detailed description of the issue and related resources.

This is exactly when we would expect to see this error, when the cookies are not picked up on the callback. This can occur for a number of reasons - Have you been able to test this on different browsers? Is there any sort of pattern you can point to there?

I’d probably start by look at the following GH issues which have been opened related to the same error previously:

(there are a handful of other issues filed in the repo that could be of use as well)

Aside from that, I might recommend attempting to reproduce locally with our Next.js sample app - I have been testing myself and have thus far been unable to reproduce. This could be helpful in isolating where the issue is and gives us something to test against.

Keep us posted!

Thanks for the response. It’s not easy to reproduce, only happens on a fresh browser (with all cookies, history deleted). For now we’ve gotten around the problem by redirecting the user back in case of an error so they hit login again and of course it works the second time.