LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

In OAuth, what is the state parameter for?

It's an unguessable value the client sends to /authorize and checks when the user returns — its main job is to prevent CSRF attacks on the redirect.

Client stores a random state, the AS echoes it; match accepts, mismatch rejects (CSRF).

* The unguessable state, echoed and re-checked, blocks forged (CSRF) callbacks. *

When the app redirects the user to the authorization server, it includes state=<random>. The AS echoes that same value back in the redirect. The client then verifies it matches what it sent.

Why this stops CSRF: an attacker can't forge a valid callback (e.g. tricking your browser into completing their login on your account) because they can't predict the random state your session expects. A mismatch ⇒ reject the response.

Secondarily, state can carry app context — e.g. "the user was on /cart, send them back there after login."

Tip: state is to the OAuth redirect what an anti-CSRF token is to a form POST: a value only your legitimate session knows.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026