Auth0 Error: 'Invalid state' in /auth0/vendor/auth0/auth0-php/src/Auth0.php: line#537

[musaddiq-pk]

Hello!

After searching for few hours I'm still struggling to fix the issue. Following error message is displayed on callback page.
Fatal error: Uncaught exception 'Auth0\SDK\Exception\CoreException' with message 'Invalid state' in auth0/vendor/auth0/auth0-php/src/Auth0.php:537.

Here is state value: 5ca21f797a9659.40872849. And my test home page is https://www.casaskipito.com/auth0/.

Any help will be appreciated.
Thanks!

[joshcanhelp]

Hi @musaddiq-pk! This could be happening for a number of reasons. We have a few threads on our Community site that can help:

https://community.auth0.com/t/invalid-state-php-error/17320/8

https://community.auth0.com/t/invalid-state-error-500-after-php-sdk-redirect/13895/

https://community.auth0.com/t/state-paremeter-woes/21396/

[derMatze82]

I have the same problem with SDK Version 5.4.0 from time to time.
Although there is a try/catch block, I got a CoreException. How could that be?

try {
$userInfo = $auth0->getUser();
} catch (CoreException $e) {
// Invalid state or session already exists.
unset($_SESSION['user']);
session_destroy();
$auth0->login();
die();
} catch (ApiException $e) {
// Access token not present.
unset($_SESSION['user']);
session_destroy();
$auth0->login();
die();
}

[joshcanhelp]

@derMatze82 - I have no clue, that's very strange. Can you try catching a plain Exception there and see what happens? Is it possible that you have another getUser() before that one?

[derMatze82]

I have updated to 5.5, as I found out that this issue should be fixed there.
I will comment here when this Exception is happening again

[derMatze82]

@joshcanhelp

Still happening in auth0 sdk 5.5, PHP 7.2:

Got error 'PHP message: PHP Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /home/a/b/c/d/vendor/auth0/auth0-php/src/Auth0.php:536\

Exception is not catchable in a try/catch block. Seems that the error appears in case of multiple browser-tabs open with the same page that includes the auth0 sdk

[joshcanhelp]

Exception is not catchable in a try/catch block.

I'm not sure what to say about that. You're either calling this in another place that's not being caught or there is something wrong with your try...catch code. Do you have a use statement at the top of the file that's doing this? Maybe try just catching \Exception since you're doing the same thing in both catch blocks.

The invalid state error itself might be related to running the auth process in two different tabs. If you start the auth in one tab and then start it in another and complete the first, there will be a mis-match in the values that we're storing in the PHP session

[xaoseric]

@derMatze82 can you try updating your SessionStateHandler in /vendor/auth0/auth0-php/src/API/Helpers/State and replace the issue function with the following?

public function issue()
{
    $state = $this->store->get(self::STATE_NAME);
    if ($state === null) {
        $state = uniqid('', true);
        $this->store($state);
    }
        
    return $state;
}

[derMatze82]

Thanks, I updated the code

[derMatze82]

Still getting this error from time to time:

AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /abc/auth0/vendor/auth0/auth0-php/src/Auth0.php:536
Stack trace:
#0 /abc/auth0/vendor/auth0/auth0-php/src/Auth0.php(458): Auth0\SDK\Auth0->exchange()
#1 /abc/callback/index.php(28): Auth0\SDK\Auth0->getUser()
#2 {main}
thrown in /abc/auth0/vendor/auth0/auth0-php/src/Auth0.php on line 536

it's strange because in line 28:

try {
$userInfo = $auth0->getUser(); <-- Line 28
} catch (CoreException $e) {

But its not catched

[xaoseric]

but your not getting the error all the time @derMatze82?

[derMatze82]

@xaoseric No, only some users are facing this problem, most of the other users can login successfully

[xaoseric]

@derMatze82 try clearing your laravel cache folder and session cache files for laravel. Ive seen it happen when a user deletes their account on the Auth0 side.

[derMatze82]

I dont use any framework, it`s a self written PHP Application. Users cannot signup or delete account.
Accounts are imported.

[ValeSauer]

I had this issue on an application that was available on two subdomains a and b but uses only b as an configured application domain. When user accesses a Auth0's nonce (aka state) was created only for a leading to a failing validation due to an empty session when Auth0 redirected back to the configured application url on b.

I solved this issue by setting php's cookie domain to b.. Concretely in my laravel app i set the envvar
SESSION_DOMAIN=b

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.