State parameter in Oauth2 - stored in cookie for stateless app ?!

I am securing some UI pages: whenever a new request comes, if it has no accessToken or code, I redirect it to our oauth2 provider login page.

But, in this redirect url I add a state parameter, and the value of this state parameter value I also store as a cookie (called STATE_COOKIE) in the redirected request.

When another request comes with a code, I first look to see if it has a STATE_COOKIE, then exchange the code for an accessToken, then check if the STATE_COOKIE value is the same as the state in the accessToken.

Is this how I am supposed to used the state parameter ? I cannot(do not know how) store it locally as there is no session concept in our app. It would be very easy for me to store this state value locally, and when I get an accessToken compare its state value with the local stored one (ones).

What should I do ?

No, the state parameter is made to prevent cross-site forgery attacks. Having it sent as a cookie means that the client can simply send a state cookie and state parameter that match, circumventing the security measures.

But where am I supposed to store the state param, as I have no session, and do not know how to remember the state UUID I have generated for a givne request ?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.