State parameter in Oauth2 - stored in cookie for stateless app ?!


(J Ohn Stuart) #1

I am securing some UI pages: whenever a new request comes, if it has no accessToken or code, I redirect it to our oauth2 provider login page.

But, in this redirect url I add a state parameter, and the value of this state parameter value I also store as a cookie (called STATE_COOKIE) in the redirected request.

When another request comes with a code, I first look to see if it has a STATE_COOKIE, then exchange the code for an accessToken, then check if the STATE_COOKIE value is the same as the state in the accessToken.

Is this how I am supposed to used the state parameter ? I cannot(do not know how) store it locally as there is no session concept in our app. It would be very easy for me to store this state value locally, and when I get an accessToken compare its state value with the local stored one (ones).

What should I do ?


(Dean Bassett) #2

No, the state parameter is made to prevent cross-site forgery attacks. Having it sent as a cookie means that the client can simply send a state cookie and state parameter that match, circumventing the security measures.