Thanks for the detailed response and explanation Evan!
Currently in Auth0, my app is configured as such:
- Regular web application
- Application Login URI: not set
- Allowed Callback URLs: http://localhost:8000/auth0/callback
- Allowed Logout URLs: http://localhost:8000/
- Allowed web origins: http://localhost/
Other than that it’s all defaults.
I’ve attached some pictures of the cookies on the app’s /login route and the /auth0/callback route. Looks like there’s no state cookie being set on the /auth0/callback` route.
Below are some pictures of the login flow and what happens when the user returns to the app. We’re essentially just directing the user at /login route when they click the login button. as pictured here:
As you can see this follows the \Auth\AuthIndexController@login method, which hasn’t been modified except for this line:
where we’re just pointing the user at our /home endpoint once they’ve been logged in. Where some processing occurs (checking user roles, and setting up the environment based on that). Nothing with the sessions/cookies.
If you’d like to see more of the code around how I’ve configured our Auth0 Setup within my PHP app please let me know.
I appreciate all your help. Thanks!