Hi,
Thanks for replying Josh!
As to the steps you mentioned, I don’t think we’re doing any of that. Do you guys have a tutorial on how to implement states correctly?
btw, here is the config that I use on my pages
use Auth0\SDK\Auth0;
$auth0 = new Auth0([
'domain' => 'domain',
'client_id' => 'client_id',
'client_secret' => 'client_secret',
'redirect_uri' => 'https://domain.com/callback.php',
'audience' => 'https://domain.eu.auth0.com/userinfo',
'scope' => 'openid profile',
'persist_id_token' => true,
'persist_access_token' => true,
'persist_refresh_token' => true,
]);
I followed the Quickstart guide for php and it doesn’t mention state. It seems to me that state isn’t optional, and that should probably be reflected in your reference documentation 
I couldn’t find it on the GitHub sample either https://github.com/auth0-samples/auth0-php-web-app/tree/master/00-Starter-Seed. I also found the link you sent earlier, but I’m not using Wordpress, so I figured it didn’t apply to my use case.