When talking about state, the documentation and the posts in this forum talk about how it is intended to prevent CSRF attacks. How does it do this? If I send a value to Auth0 when a user logs in - as the documentation says to do every time - if the request were being intercepted, the third-party …

Why use state, or even nonce?

jerdog Split this topic April 2, 2018, 5:35pm 2

Topic		Replies	Views
SPA's don't do authentication (replay attacks) Help	2	4535	July 25, 2019
State vs nonce in auth0-js Help auth0js , csrf	5	14397	August 30, 2019
Where should the 'state' nonce be generated and checked? Help authorization-code-f , state	2	9619	July 25, 2019
Are nonce and state automatically verified? Help	1	3515	April 23, 2020
Proper auth0-js state/nonce management? Help auth0	1	4696	December 19, 2019