An error occurred "States do not match". It doesn't allow multiple clients to log in at the same time.

[JeySamir]

I'm trying to log in from two different browser tabs at the same time, and when the first succeeds, the second gets an error after the consent page:

http://127.0.0.1:5555/callback?code=jmCFpJm388TJLzHhfJul9xEZEEmjHt1qqWy4E3JdAV8.D3CwDvIED9O24R-oiJAVlURPwGag7niAQZa_8OwoFvU&scope=openid+offline&state=qinoivldzpldfpbnvuefbgtj

The error page contains:

An error occurred
States do not match
Expected state mkokyvwcxlgvhpwpcdpykxfd but got qinoivldzpldfpbnvuefbgtj

I understand that this is due to checking the "state" variable in a particular line of code:

hydra/cmd/token_user.go

Line 235 in 9544c03

if r.URL.Query().Get("state") != string(state) {

But I don't understand what it's done for. This example application basically doesn't allow multiple clients to log in at the same time.

What is the purpose of this "state" variable check anyway, what is the concept?
How should it be implemented in a system that allows multiple users to log in at the same time?

Unfortunately, I could not find anything clear about this in the documentation. Could someone please explain it and provide links to materials explaining it.

[vinckr]

Hey @JeySamir
apologies for the late response!
Are you still stuck on this?

How should it be implemented in a system that allows multiple users to log in at the same time?

We recommend to use a dedicated solution for that, for example Ory Kratos.

I'm trying to log in from two different browser tabs at the same time

This probably does not work on localhost, I am not sure how the setup looks on your side though.