2020-11-17 UTC
# [Simon_Willison] > Upon the redirect back to the client, the client _MUST_ verify that the state parameter in the request is valid and matches the state parameter that it initially created, in order to prevent CSRF attacks. The state value can also store session information to enable development of clients that cannot store data themselves.