Invalid state (composer/php)

I have implement log-in logout with quickstart php. and now i am getting this error. PHP Fatal error: Uncaught Auth0\SDK\Exception\StateException: Invalid state in C:\webpages\phptest\vendor\auth0\auth0-

$auth0 = new \Auth0\SDK\Auth0([
‘domain’ => ‘’,
‘clientId’ =>‘cientid’,
‘clientSecret’ => ‘clientsecret’,
‘cookieSecret’ =>‘cookie secret’,
‘redirectUri’ =>‘http://localhost/phptest/login.php


if ($auth0->getExchangeParameters()) {
// If they’re present, we should perform the code exchange.
$session = $auth0->getCredentials();
if ($session === null) {
// User is not logged in!
// Redirect to the Universal Login Page for authentication.
header("Location: " . $auth0->login());
echo $session;
function () use($auth0) {
// Clear the user’s local session with our app, then redirect them to the Auth0 logout endpoint to clear their Auth0 session.
header("Location: " . $auth0->logout(‘http://localhost/phptest/login.php’));
echo ‘logged out’;
echo json_encode($auth0,JSON_PRETTY_PRINT);
echo json_encode($session,JSON_PRETTY_PRINT);

Hey there!

In order to let us help you more effectively, can I ask you to share with us the link to the quickstart you were using? Thank you!

HI @konrad.sopala Auth0 PHP SDK Quickstarts: Login this is the link i’ve been following.

Perfect! In order to handle that most effectively can I ask you to raise it as a GitHub issue here:

so we can work on that directly with the quickstart maintainer and solve it in the shortest period of time? Once you have a link to it please share it here so we can ping them. Thank you!

Thank you for the quick reply @konrad.sopala . I hvae raised the issue here INVALID STATE(COMPOSER/PHP) · Issue #80 · auth0-samples/auth0-php-web-app · GitHub.

1 Like

Perfect! Thank you! I’ll ping the repo maintainers in a few minutes!

Cheers. Thank you :slight_smile:

1 Like

No problem! We’re here for you!

1 Like

Hi, @bhavith.chandra :wave: Thanks for your question.

An invalid state occurs when the SDK encounters an issue reading anticipated cookies. When login() is called, a series of temporary cookies are stored on the client device. After authenticating with Auth0 and being returned to the application, during the exchange() call, the SDK checks that those cookies are present and match up with what was expected. An invalid state is thrown when they do not.

There could be any number of things interfering there:

  • Browser settings or policies blocking cookies.
  • Mixing and localhost (each is considered a uniquely different host, and therefore has separate browser cookie jars.)
  • Proxying web server software interfering with cookies (this is often the case with Apache and Nginx; make sure you up their cookie header limits if you’re using those.)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.