[SOLVED] Android: mismatching_state: CSRF Warning! State not equal in request and response

betterautomations1 · January 12, 2025, 1:05pm

I only have this problem in Android; Windows and iOS are fine. My app (app.securecoop.com) runs on Django+Gunicorn+Nginx. Nginx communicates via UNIX socket to Gunicorn, so there is no way to use the Django setting CSRF_TRUSTED_ORIGINS. I used this tutorial to build the Django app. Not knowing much about authentication, I didn’t change much from the original login/logout code. That tutorial uses the Auth0 new universal login. I use a custom subdomain for logging in.

After I login with Android, /callback (here is the full URL, but code and state are partially obscured) is supposed to redirect to /home, and it does on Windows and iOS, but on Android it throws the following error.

Please note that login is successful; If I go back to the home page it shows logged in. It’s just throwing an error on redirect.

I have exhausted the other hits on this forum such as this post (I didn’t understand the answer to be honest, and as mentioned, it does work in Windows and iOS, so I doubt it’s a misconfiguration) as well as other pages in Google. Not sure what I need to do.

I found an old Github bug report that states authlib uses a workaround for Auth0 else it generates that error, but I’m not clear how to implement the solution they offered, and it’s a pretty old bug so I don’t even know if it still applies.

Here is the login() function inside user/views.py:

def login(request):
    return oauth.auth0.authorize_redirect(
        request,
        request.build_absolute_uri(reverse("user:callback")),
    )

And here is where the code fails, when returning the redirect(), in the callback() function:

def callback(request):
    token = oauth.auth0.authorize_access_token(request)

    user = auth.authenticate(request, token=token)

    if user is not None:
        auth.login(request, user)

        # Email is not automagically added by Auth0
        user.email = token.get('userinfo', {}).get('email', '').lower()
        user.save()

        return redirect(request.build_absolute_uri(reverse("home:home")))

    return HttpResponse(status=400)

I realized after posting this that:

I should have cleared the device’s cache and tried again.
I should try another device.
I should have pasted the text of the error instead of a screenshot.

I am away from my dev computer at the moment and will try these after I get back later today.

betterautomations1 · January 12, 2025, 3:11pm

Just found another Android device (OS version 12) and it worked. I may have a faulty emulator. It is Bluestacks (latest version); I’ll try a third Android device later, and perhaps wipe Bluestacks and/or try a different emulator.

betterautomations1 · January 12, 2025, 7:14pm

Cleared all data from Chrome in Bluestacks and it, too is working. Marking this one as solved.

dawid.matuszczyk · January 13, 2025, 1:44pm

Hi @betterautomations1

Welcome to the Auth0 Community!

Thank you for sharing your solution with the rest of the community!

Have a great day!
Dawid

Topic		Replies	Views
: mismatching_state: CSRF Warning! State not equal in request and response Help configuration , application	1	225	November 25, 2024
Redirect URI Mismatch in Auth0 When Authenticating from Custom GPT Help login-experience , new-universal-login-experience	9	145	October 2, 2024
Non-google users need to login twice due to CSRF error Help auth0 , login , csrf	2	3185	April 26, 2023
Call Back Mismatch Error Help lock , auth0 , redirecturi	5	3845	April 9, 2020
Error with Google login on custom domain Help auth0 , login	9	11851	October 20, 2018

[SOLVED] Android: mismatching_state: CSRF Warning! State not equal in request and response

Related topics