Addendum: you can read about the use of the "state" parameter here: https://auth0.com/docs/protocols/oauth2/oauth-state.

Reading that I realise that the DF session cookie value probably isn't really the best choice - it should probably generate it's own random value and use that - but basically it works and since the cookie value is itself generated (reasonably) randomly this is (I believe) an "if it ain't broken, don't fix it" type of situation.

Others more knowledgeable about such stuff may disagree. (In which case let me know and I will look at fixing it.)

Mike