The state check in the Basic Usage example will only fail if the session variable is set. If an attacker uses a fresh session with the "oauth2state" session variable unset, the check would pass. Even worse if the attacker uses a random state and the check fails, the state variable will be unset in the next line. Then a second request would just pass.
ramsey
commented
1 year ago
The state check in the Basic Usage example will only fail if the session variable is set. If an attacker uses a fresh session with the "oauth2state" session variable unset, the check would pass. Even worse if the attacker uses a random state and the check fails, the state variable will be unset in the next line. Then a second request would just pass.