Invalid state error caused by $store not retaining data

I’m integrating auth0 with an existing site running on PHP. So I’m using the auth0-php SDK.

It’s all working fine on my local environment. I call $auth0->login() to get the login URL, I redirect there, and then it calls the callback endpoint. That in turns calls $auth0->exchange(), and then I get the user with $auth0->getUser(). All good!

But then when deployed on our production environment (on, it doesn’t work. When $auth0->exchange() is called, it comes back an invalid state error.

I’ve done quite a bit of research and debugging, and here is what I’ve found:

When we call $auth0->login(), it creates the $state string, and puts it in the internal storage: $store->store('state', (string) $state)

When we call $auth0->exchange(), it then tries to retrieve that state:
$verified = (null !== $state && $store->verify('state', $state))

And at that point $store is empty - it hasn’t retained any of the values. Somehow when we go to the login URL and come back to our site, $store is then empty.

I’ve also noticed that on my local environment I get three cookies: auth0_session_0, auth0_session_1, and some session cookie. On the prod environment I only get one cookie: auth0_transient_0

Any idea what could be the cause of this in our production environment? Some PHP setting of some sort?

Never mind, I found the issue. Cookies were restricted on I’ve allowed the auth0 cookies and it now all works fine.

1 Like

Thanks for sharing with the rest of community @hubert_r !

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.