I’m integrating auth0 with an existing site running on PHP. So I’m using the auth0-php SDK.
It’s all working fine on my local environment. I call $auth0->login() to get the login URL, I redirect there, and then it calls the callback endpoint. That in turns calls $auth0->exchange(), and then I get the user with $auth0->getUser(). All good!
But then when deployed on our production environment (on Platform.sh), it doesn’t work. When $auth0->exchange() is called, it comes back an invalid state error.
I’ve done quite a bit of research and debugging, and here is what I’ve found:
When we call $auth0->login(), it creates the $state string, and puts it in the internal storage: $store->store('state', (string) $state)
When we call $auth0->exchange(), it then tries to retrieve that state:
$verified = (null !== $state && $store->verify('state', $state))
And at that point $store is empty - it hasn’t retained any of the values. Somehow when we go to the login URL and come back to our site, $store is then empty.
I’ve also noticed that on my local environment I get three cookies: auth0_session_0, auth0_session_1, and some session cookie. On the prod environment I only get one cookie: auth0_transient_0
Any idea what could be the cause of this in our production environment? Some PHP setting of some sort?