#Zegnat[Simon_Willison]: any reason you need to store state in the browser at all? If you can put all state in the access code that would be nice. That way when the client comes to exchange the code for a token all the state is packed in there, even if that request does not transmit cookies