diff --git a/auth.js b/auth.js
index f079563..2913b58 100644
--- a/auth.js
+++ b/auth.js
@@ -1,3 +1,5 @@
+import * as cookie from 'https://deno.land/std@0.188.0/http/cookie.ts'
+
 export class Auth {
   constructor({
     baseUrl,
@@ -25,14 +27,20 @@ export class Auth {
       this.remoteBaseUrl + '/auth/callback'
     )
     const timestamp = new Date().valueOf()
+    const randomInt = Math.floor(Math.random() * 10000)
     // TODO: sign
-    const signedTimestamp = `${timestamp}`
-    search.set('state', signedTimestamp)
+    const state = `${randomInt}-${timestamp}`
+    search.set('state', state)
     url.search = search.toString()
+    const headers = new Headers({
+      Location: url.toString()
+    })
+    cookie.setCookie(headers, {
+      name: 'oauth.gitea.state',
+      value: state,
+    })
     return new Response('', {
-      headers: {
-        Location: url.toString()
-      },
+      headers,
       status: 302,
     })
   }