Invalid state -> php error

Hi There,

My question is similar to other topics I’ve seen here like Invalid state (error 500) after PHP/SDK redirect, but I haven’t found a solution that works yet. So far I’ve tried force disabling cache on callback.php, outright disabling state_handler = false in the config, different responseTypes.

  • Which SDK does this apply to? (Ex: auth-node)
    Using the PHP sdk installed with composer
  • Which verison of the SDK you are using? (Ex: 1.0)
  • Which version of the platform are you facing this error on? (Ex: Node 6.4)
    PHP Version 7.2.7
  • Was this code working before? Have you made any changes in the dashboard recently?
  • Please capture and attach the stacktrace, it helps a lot!
    Here’s the php error message, hope that helps.

Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /customers/c/4/d/ Stack trace: #0 /customers/c/4/d/ Auth0\SDK\Auth0->exchange() #1 /customers/c/4/d/ Auth0\SDK\Auth0->getUser() #2 {main} thrown in /customers/c/4/d/ on line 511

  • Please share the code that is causing the error. (in vendor/auth0/auth0-php/src/auth0.php:511)
    if (! $this->stateHandler->validate($state)) {
    throw new CoreException(‘Invalid state’);
  • Can you share a minimum reproducible?
    Largely followed this video: Build your own Single Sign-on (SSO) system in PHP - YouTube with a few tweaks as it is outdated and created before 5.1.0 and has no state validation.

Here’s my entire callback.php as of creating topic


header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);

// $e = new \Exception;
// var_dump($e->getTraceAsString());

require "init.php";

$userInfo = $auth0->getUser();

if (!$userInfo) {
    // We have no user info
    // redirect to Login
    die("Error while logging in. Please try again. <a href='/'>Go back</a>");
} else {
    // User is authenticated
    // Say hello to $userInfo['name']
    // print logout button
    // echo debug_print_backtrace();

    echo "hi there ";

It’s also worth noting that each login is marked as successful in the admin panel in the log.

Philip A

Hi @philipaarseth … sorry for the trouble here but we should be able to get you up and running.

TL; DR on state validation … a value is generated in the SDK, saved in a PHP session, then validated in the callback. This helps to mitigate CSRF attacks and, if desired, can be used to maintain the state of your application. As you mentioned, this was added fairly recently to the SDK and is automatic if you use the provided methods.

Nothing happens on the Auth0 server with state, it’s just received and then sent back to the callback URL. The main things to check in your app are:

  • Are you generating a state and sending that to Auth0? If you’re using Auth0::login() without passing in a value for $state then you are.
  • Are you storing that state in the correct place ($_SESSION['auth0__webauth_state']). Again, that method above does this for you.
  • Are you checking what comes back from Auth0 in the state URL param with the correct storage location? I see Auth0::getUser() in your app code above so it looks like you are.

Debug that process all the way through and you should figure out where the state check is failing. There might also be environmental issues going on, though, and you can try working through our state validation troubleshooting guide for WordPress:

Some of that information is not applicable here but the debugging steps and edge cases might be.

Let me know if I can help any further!


Thanks for replying Josh!

As to the steps you mentioned, I don’t think we’re doing any of that. Do you guys have a tutorial on how to implement states correctly?

btw, here is the config that I use on my pages

 use Auth0\SDK\Auth0;

 $auth0 = new Auth0([
  'domain' => 'domain',
  'client_id' => 'client_id',
  'client_secret' => 'client_secret',
  'redirect_uri' => '',
  'audience' => '',
  'scope' => 'openid profile',
  'persist_id_token' => true,
  'persist_access_token' => true,
  'persist_refresh_token' => true,

I followed the Quickstart guide for php and it doesn’t mention state. It seems to me that state isn’t optional, and that should probably be reflected in your reference documentation :slight_smile: I couldn’t find it on the GitHub sample either I also found the link you sent earlier, but I’m not using Wordpress, so I figured it didn’t apply to my use case.

@philipaarseth - happy to help!

That was a lot of explanation around what goes on behind the scenes but, if you’re using the built-in methods, then you don’t need to do anything extra. I wanted to point out a few other ways of logging in that might be causing the issue. The WP link is just some extra general troubleshooting steps that might be helpful in a PHP environment.

The Quickstart needs an update but what’s there should work out of the box and handle state behind the scenes. If not, which it sounds like it is not in your case, then the questions I asked above should direct you to the right place to debug.

I guess I may not be using built-in methods, but I’d love to do that. The easier and quicker setup the better, then customise. How do we do that?

I restarted the whole project using the sample and Quickstart, now everything works fine :grin:
Idk what I did wrong, but it doesn’t matter. Anyway, thanks for your assistance, Josh!


Happy to help and glad you got it figured out!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.