diff --git a/oauth3.core.js b/oauth3.core.js
index 8e03884..34091e6 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -529,7 +529,7 @@
           }
           console.warn('[Warn] Please implement OAUTH3.hooks.session.get = function (providerUri) { return PromiseA<savedSession>; }');
           if (!OAUTH3.hooks.session._sessions) { OAUTH3.hooks.session._sessions = {}; }
-          return OAUTH3.PromiseA.resolve(OAUTH3.hooks.session._sessions[providerUri]);
+          return OAUTH3.PromiseA.resolve(OAUTH3.hooks.session._sessions[providerUri] || null);
         }
       }
     }
diff --git a/well-known/oauth3/callback.html b/well-known/oauth3/callback.html
index b44f95f..2b8eec9 100644
--- a/well-known/oauth3/callback.html
+++ b/well-known/oauth3/callback.html
@@ -27,6 +27,11 @@
             if (loginWinObj.debug) {
               console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
             }
+            if (!loginWinObj.state) {
+              console.error(loginWinObj);
+              window.alert(prefix + ": missing state parameter");
+            }
+
             // '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
             // TODO finalize name of '--oauth3-callback-', this will be a defacto standard
             // TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?