State string CSRF prevention

Hi,

I’m trying to implement the check that the documentation recommends around the “state” parameter in the URI for authenticating a user’s Twitch account. I’ve got a secure hex value being generated and added to the URI, but I’m struggling to perform the check when Twitch returns me to my app (since the app is reloaded completely, my state variables are getting wiped).

Does anyone have any advice on best practise for storing the value we provide as the “state” parameter, and checking it against the returned URI?

I guess this is more of a general web dev question rather than strictly about the Twitch API. I hope it’s still ok to ask about it here.

You need some sort of session manager or local storage in your app to persist data between reloads.