When talking about state, the documentation and the posts in this forum talk about how it is intended to prevent CSRF attacks. How does it do this? If I send a value to Auth0 when a user logs in - as the documentation says to do every time - if the request were being intercepted, the third-party …

Why use state, or even nonce?

jerdog Split this topic April 2, 2018, 5:35pm 2

Topic		Replies	Views
State vs nonce in auth0-js Get Help auth0js , csrf	5	15467	August 30, 2019
SPA's don't do authentication (replay attacks) Get Help	2	4589	July 25, 2019
Where should the 'state' nonce be generated and checked? Get Help authorization-code-f , state	2	10123	July 25, 2019
Usage of the OAuth state parameter Get Help javascript , state , pwa	2	6658	March 2, 2018
Proper auth0-js state/nonce management? Get Help auth0	1	4795	December 19, 2019