"State parameter is invalid" error occuring randomly

When testing my log in experience, I occasionally get an error that says something like “State parameter is invalid”. It only occurs occasionally so I’m not sure how to reproduce it. My only thought is that it could possibly have something to do with Cloudflare? I only say that because I noticed this happening soon after I used Cloudflare for my DNS, but maybe it was a coincidence.

I’ll try to give relevant info to help troubleshoot this. I’m using very basic settings. Login via username and password. I had Google login but removed it. This is my middleware code:

import type { NextRequest } from "next/server"

import { auth0 } from "./lib/auth0"

export async function middleware(request: NextRequest) {
  return await auth0.middleware(request)
}

export const config = {
  matcher: [

    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
  ],
}

I set up a custom domain.

When users register, they click this button:

<Button size="4" disabled={isLoading} asChild>
  <a href={user ? "/register" : "/auth/login?screen_hint=signup&returnTo=/register"}>
    <Text size="4" weight="bold">Register</Text>
  </a>
</Button>

I’m not sure what else I can provide. Any ideas?

1 Like

I started facing the same issue since last week when I updated auth0 nextjs sdk to the latest v4 beta. In my case it happens only in some computers (using chrome). Accessing my testing environment from some computers have returned this “State parameter is invalid”.
The only way I could reproduce it locally is blocking cookies to be saved. But, the problem is that the computers that face this issue can save cookies and should be fine. So, no idea how to fix it.

@mmaccou are you using what version of the nextjs SDK? What browsers have you tried to access the application?

Hey thanks for the reply. I’m using v4 also. I dont think it’s the beta though? I’ve noticed on Chrome and Brave, but I think it also happened on Safari on mobile.

@mmaccou I just find out the solution to my issue, it may be similar to yours. In my case, the origin url was not matching the callback url. Every time the testing env was being accessed with a www in front of url, the state was being stored in a cookie store with 'www.*'in the beginning, causing the comparison between the state in the call back response. So there was nothing to do with browser or sdk version, but with the way user’s were accessing the app.

Hope it helps.
Best regards

GREAT CATCH! I think that’s the problem with mine too. I just tested without the www and got the same error. Then put in the www and it worked. I’ll set a permanent redirect to www and that should solve it. Thanks

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.