PHP SDK Login - Invalid state

We are using PHP SDK 7.3 for doing a login. We have a pretty basic setup using the Universal Login and a callback.php that contains this code pretty much:

$auth0 = new Auth0([
  'domain'        => AUTH_DOMAIN,
  'client_id'     => AUTH_CLIENT_ID,
  'client_secret' => AUTH_CLIENT_SECRET,
  'redirect_uri'  => AUTH_CALLBACK,

try {
  if ($user = $auth0->getUser()) {
    // Do stuff with user
} catch (Exception $e) {

Everything works like 99% of the time. But now we have 1 user that cant login on his old iPhone 6 in Safari (dont know versions). I can see in the logs that the Exception is “Invalid state”. I’ve asked the user to clear cookies, restart browser etc etc. But the issue persists. He can login if he uses his computer. I understood that I could add the param: 'state_handler' => false but that doesn’t feel like a safe workaround for 1 user having issues.

Anyone has any suggestions on how to solve this? There are +10.000 users that don’t have issues, but our customer support wants me to call him and guide him in the right way. What should I ask him to do, as I guess that it has to be something with his client…?

I managed to do some extra debugging. It looks like the cookie auth0__state is not set when the user is sent back to the callback, hence the URL param state= cant validate. This is sooo strange?

I can see that other cookies like Analytics etc. is set, so it’s not a matter of user blocking cookies.

However, it seems strange that the issue only should happen to like one user. That the cookie dont have time to be set before the redirect happens.