Preserve custom state after redirect

[bendavis78]

I need to preserve state after redirecting (eg, using a custom parameter), but it seems the state parameter is currently only used for CSRF token. Is there another way to preserve state?

[indepndnt]

I don't believe the state parameter is limited to CSRF token, so you could encode a CSRF token and other state data into the state parameter.

Better, if there's any non-public data in the state that you want to preserve, would be to store it locally associated with the CSRF token and retrieve it after verifying the CSRF token. IIRC I store the CSRF token as a Redis key with the state for the value.