"State parameter is invalid" error occuring randomly

mmaccou · February 24, 2025, 12:44am

When testing my log in experience, I occasionally get an error that says something like “State parameter is invalid”. It only occurs occasionally so I’m not sure how to reproduce it. My only thought is that it could possibly have something to do with Cloudflare? I only say that because I noticed this happening soon after I used Cloudflare for my DNS, but maybe it was a coincidence.

I’ll try to give relevant info to help troubleshoot this. I’m using very basic settings. Login via username and password. I had Google login but removed it. This is my middleware code:

import type { NextRequest } from "next/server"

import { auth0 } from "./lib/auth0"

export async function middleware(request: NextRequest) {
  return await auth0.middleware(request)
}

export const config = {
  matcher: [

    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
  ],
}

I set up a custom domain.

When users register, they click this button:

<Button size="4" disabled={isLoading} asChild>
  <a href={user ? "/register" : "/auth/login?screen_hint=signup&returnTo=/register"}>
    <Text size="4" weight="bold">Register</Text>
  </a>
</Button>

I’m not sure what else I can provide. Any ideas?

lribas · February 24, 2025, 12:03pm

I started facing the same issue since last week when I updated auth0 nextjs sdk to the latest v4 beta. In my case it happens only in some computers (using chrome). Accessing my testing environment from some computers have returned this “State parameter is invalid”.
The only way I could reproduce it locally is blocking cookies to be saved. But, the problem is that the computers that face this issue can save cookies and should be fine. So, no idea how to fix it.

@mmaccou are you using what version of the nextjs SDK? What browsers have you tried to access the application?

mmaccou · February 24, 2025, 6:03pm

Hey thanks for the reply. I’m using v4 also. I dont think it’s the beta though? I’ve noticed on Chrome and Brave, but I think it also happened on Safari on mobile.

lribas · February 24, 2025, 7:31pm

@mmaccou I just find out the solution to my issue, it may be similar to yours. In my case, the origin url was not matching the callback url. Every time the testing env was being accessed with a www in front of url, the state was being stored in a cookie store with 'www.*'in the beginning, causing the comparison between the state in the call back response. So there was nothing to do with browser or sdk version, but with the way user’s were accessing the app.

Hope it helps.
Best regards

mmaccou · February 24, 2025, 7:56pm

GREAT CATCH! I think that’s the problem with mine too. I just tested without the www and got the same error. Then put in the www and it worked. I’ll set a permanent redirect to www and that should solve it. Thanks

system · March 10, 2025, 7:57pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Intermittent "Invalid state" errors Get Help lock , auth0 , login	0	1953	February 4, 2022
State Mismatch issue with custom login screen and Auth0-js and NextJS Get Help	3	2612	July 28, 2022
Auth0 NextJS invalid_grant (Failed to verify code verifier) Get Help login-experience , new-universal-login-experience	0	367	June 13, 2024
Invalid State Error After Long Inactivity on Universal Login Page Get Help classic-universal-login-experience , login-experience	4	255	October 10, 2024
Intermittent Invalid State Get Help auth0-spa-js	2	2867	September 14, 2021

"State parameter is invalid" error occuring randomly

Related topics