diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php
index cfb452e6f6c789a63ea448dca203ebc18cbec294..da75fcc3f383c954aa5ab5318b8f18c7c19f9011 100644
--- a/lib/SimpleSAML/Auth/ProcessingChain.php
+++ b/lib/SimpleSAML/Auth/ProcessingChain.php
@@ -301,11 +301,9 @@ class SimpleSAML_Auth_ProcessingChain {
 	/**
 	 * Retrieve a state which has finished processing.
 	 *
-	 * @param string $id The state identifier. This can be found in the
-	 * SimpleSAML_Auth_ProcessingChain::AUTHPARAM request parameter. Please
-	 * make sure to sanitize it properly by calling the
-	 * SimpleSAML_Utilities::checkURLAllowed() function with the embedded
-	 * restart URL, if any. See also SimpleSAML_Utilities::parseStateID().
+	 * @param string $id The state identifier.
+     * @see SimpleSAML_Utilities::parseStateID()
+     * @return Array The state referenced by the $id parameter.
 	 */
 	public static function fetchProcessedState($id) {
 		assert('is_string($id)');
diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php
index 1fe4ebf6017b3379a05985d40e1cf44efab858a3..4684f5d8fc8af222254716a3f753e18754eaa5c1 100644
--- a/lib/SimpleSAML/Auth/State.php
+++ b/lib/SimpleSAML/Auth/State.php
@@ -225,7 +225,7 @@ class SimpleSAML_Auth_State {
 				throw new SimpleSAML_Error_NoState();
 			}
 
-			SimpleSAML_Utilities::redirectTrustedURL($sid['url']);
+			SimpleSAML_Utilities::redirectUntrustedURL($sid['url']);
 		}
 
 		$state = unserialize($state);
@@ -249,7 +249,7 @@ class SimpleSAML_Auth_State {
 				throw new Exception($msg);
 			}
 
-			SimpleSAML_Utilities::redirectTrustedURL($sid['url']);
+			SimpleSAML_Utilities::redirectUntrustedURL($sid['url']);
 		}
 
 		return $state;
diff --git a/lib/SimpleSAML/IdP/LogoutTraditional.php b/lib/SimpleSAML/IdP/LogoutTraditional.php
index 1a43252a1a17eabee96528fd0f2cd1d0476e1b0d..4cd16dd860eab243baa0b0e5240f6ed11695c7db 100644
--- a/lib/SimpleSAML/IdP/LogoutTraditional.php
+++ b/lib/SimpleSAML/IdP/LogoutTraditional.php
@@ -75,12 +75,6 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler {
 			throw new SimpleSAML_Error_Exception('RelayState lost during logout.');
 		}
 
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($relayState);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
-
 		$state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
 
 		if ($error === NULL) {
diff --git a/modules/aselect/www/credentials.php b/modules/aselect/www/credentials.php
index 09b4b065758fa626cca7855d747c44199d65d062..a1bb0043434e800ff02a2e9b3c65823ba63590f8 100644
--- a/modules/aselect/www/credentials.php
+++ b/modules/aselect/www/credentials.php
@@ -9,15 +9,7 @@
 if (!array_key_exists('ssp_state', $_REQUEST)) {
     throw new SimpleSAML_Error_Exception("Missing ssp_state parameter");
 }
-$id = $_REQUEST['ssp_state'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-    SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['ssp_state'], 'aselect:login');
 
 if (!array_key_exists('a-select-server', $_REQUEST)) {
     SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter"));
diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
index a6227c0602e50d42a1b783782513989feefd3d1d..48c3047ac8e41afe52cacc9eac12dccdeb147ef1 100644
--- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php
+++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
@@ -123,12 +123,6 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
 		assert('is_string($authStateId)');
 		assert('is_string($otp)');
 
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
-
 		/* Retrieve the authentication state. */
 		$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
 
diff --git a/modules/authfacebook/www/linkback.php b/modules/authfacebook/www/linkback.php
index 0ab3656c242014306855c9aa41e46e1878e5b4e4..aed4404c76f870eb210d89e5b30958bf633e003a 100644
--- a/modules/authfacebook/www/linkback.php
+++ b/modules/authfacebook/www/linkback.php
@@ -7,16 +7,7 @@
 if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing state parameter on facebook linkback endpoint.');
 }
-
-$stateID = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateID);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT);
 
 /* Find authentication source. */
 if (!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) {
diff --git a/modules/authlinkedin/www/linkback.php b/modules/authlinkedin/www/linkback.php
index e65a8aab67e8b1e2eca3ebdd6d250a81fa2ee2a6..8a6c6f4fd8454bf76771f3063d236ddbb4ed1848 100644
--- a/modules/authlinkedin/www/linkback.php
+++ b/modules/authlinkedin/www/linkback.php
@@ -4,19 +4,10 @@
  * Handle linkback() response from LinkedIn.
  */
 
-if (array_key_exists('stateid', $_REQUEST)) {
-        $stateId = $_REQUEST['stateid'];
-} else {
-        throw new Exception('Lost OAuth Client State');
-}
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
+if (!array_key_exists('stateid', $_REQUEST)) {
+    throw new Exception('Lost OAuth Client State');
 }
-
-$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['stateid'], sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT);
 
 // http://developer.linkedin.com/docs/DOC-1008#2_Redirect_the_User_to_our_Authorization_Server
 if (array_key_exists('oauth_verifier', $_REQUEST)) {
diff --git a/modules/authmyspace/www/linkback.php b/modules/authmyspace/www/linkback.php
index 4dbaf79ff0290577e37dd6be7d9f4eb44adea78e..da78d125b89f6e67e81161f2aa0cd9c023c255f9 100644
--- a/modules/authmyspace/www/linkback.php
+++ b/modules/authmyspace/www/linkback.php
@@ -4,19 +4,10 @@
  * Handle linkback() response from MySpace.
  */
 
-if (array_key_exists('stateid', $_REQUEST)) {
-	$stateId = $_REQUEST['stateid'];
-} else {
+if (!array_key_exists('stateid', $_REQUEST)) {
 	throw new Exception('State Lost - not returned by MySpace Auth');
 }
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['stateid'], sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT);
 
 if (array_key_exists('oauth_problem', $_REQUEST)) {
 	// oauth_problem of 'user_refused' means user chose not to login with MySpace
diff --git a/modules/authorize/www/authorize_403.php b/modules/authorize/www/authorize_403.php
index 4342e0a6aa5c2e1a47f0bfd86650d475890ac38b..0f57ade2238de66933e1bd176529701908266351 100644
--- a/modules/authorize/www/authorize_403.php
+++ b/modules/authorize/www/authorize_403.php
@@ -8,16 +8,7 @@
 if (!array_key_exists('StateId', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-
-$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'authorize:Authorize');
 
 $globalConfig = SimpleSAML_Configuration::getInstance();
 $t = new SimpleSAML_XHTML_Template($globalConfig, 'authorize:authorize_403.php');
diff --git a/modules/authtwitter/www/linkback.php b/modules/authtwitter/www/linkback.php
index 9a397eda66882fab36887d50116923d5c798e583..5afca477d969f52c564a6d3f3f087d7a0decb553 100644
--- a/modules/authtwitter/www/linkback.php
+++ b/modules/authtwitter/www/linkback.php
@@ -7,15 +7,7 @@
 if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing state parameter on twitter linkback endpoint.');
 }
-$stateID = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateID);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT);
 
 /* Find authentication source. */
 if (!array_key_exists(sspmod_authtwitter_Auth_Source_Twitter::AUTHID, $state)) {
diff --git a/modules/authwindowslive/www/linkback.php b/modules/authwindowslive/www/linkback.php
index 29b8b0d6077ec36d90e6b59d9c8d1ac9452222b8..d2d1d077ac92de1abcf01795504d2f3a5d61ba5e 100644
--- a/modules/authwindowslive/www/linkback.php
+++ b/modules/authwindowslive/www/linkback.php
@@ -4,19 +4,10 @@
  * Handle linkback() response from Windows Live ID.
  */
 
-if (array_key_exists('wrap_client_state', $_REQUEST)) {
-	$stateId = $_REQUEST['wrap_client_state'];
-	
-	// sanitize the input
-	$sid = SimpleSAML_Utilities::parseStateID($stateId);
-	if (!is_null($sid['url'])) {
-		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-	}
-
-	$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT);
-} else {
+if (!array_key_exists('wrap_client_state', $_REQUEST)) {
 	throw new Exception('Lost OAuth-WRAP Client State');
 }
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['wrap_client_state'], sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT);
 
 // http://msdn.microsoft.com/en-us/library/ff749771.aspx
 if (array_key_exists('wrap_verification_code', $_REQUEST)) {
diff --git a/modules/cas/www/linkback.php b/modules/cas/www/linkback.php
index 473c44b4813ccb7af431ac00dc76f672ab7c58e6..3f87b7b6f392b97acc82e5bf47759dfee5fcc57f 100644
--- a/modules/cas/www/linkback.php
+++ b/modules/cas/www/linkback.php
@@ -7,19 +7,11 @@
 if (!isset($_GET['stateID'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.');
 }
-$stateId = (string)$_GET['stateID'];
+$state = SimpleSAML_Auth_State::loadState($_GET['stateID'], sspmod_cas_Auth_Source_CAS::STAGE_INIT);
 
 if (!isset($_GET['ticket'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.');
 }
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT);
 $state['cas:ticket'] = (string)$_GET['ticket'];
 
 /* Find authentication source. */
diff --git a/modules/cdc/www/resume.php b/modules/cdc/www/resume.php
index 8d7258dc9976403f0b15f9b25052867910ddf35d..a7f821998c953ff4a290315cf839a8d2a03dd815 100644
--- a/modules/cdc/www/resume.php
+++ b/modules/cdc/www/resume.php
@@ -16,13 +16,6 @@ if ($response === NULL) {
 if (!isset($response['id'])) {
 	throw new SimpleSAML_Error_BadRequest('CDCResponse without id.');
 }
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($response['id']);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
 $state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume');
 
 SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
diff --git a/modules/consent/www/getconsent.php b/modules/consent/www/getconsent.php
index ef660316850138221f7cad43f377d0909e282ed2..66c16c03fb8ed3aa280adfa21ddd4fd228281ae9 100644
--- a/modules/consent/www/getconsent.php
+++ b/modules/consent/www/getconsent.php
@@ -30,13 +30,6 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 }
 
 $id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
 $state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
 
 if (array_key_exists('core:SP', $state)) {
diff --git a/modules/consent/www/logout.php b/modules/consent/www/logout.php
index 4bd09380b2e978e30818c0b7a978831a657fb4ad..58de97c36c6120e69a3bffef0825eea39d0b3081 100644
--- a/modules/consent/www/logout.php
+++ b/modules/consent/www/logout.php
@@ -8,15 +8,7 @@
 if (!array_key_exists('StateId', $_GET)) {
     throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-$id = (string)$_GET['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
+$state = SimpleSAML_Auth_State::loadState($_GET['StateId'], 'consent:request');
 
 $state['Responder'] = array('sspmod_consent_Logout', 'postLogout');
 
diff --git a/modules/consent/www/noconsent.php b/modules/consent/www/noconsent.php
index 4e847ce2055992845295cdd7274efb9ed2651c4c..c9715b66137962c4d4718590455490da51be7019 100644
--- a/modules/consent/www/noconsent.php
+++ b/modules/consent/www/noconsent.php
@@ -11,13 +11,6 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 }
 
 $id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
 $state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
 
 $resumeFrom = SimpleSAML_Module::getModuleURL(
diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php
index de79c1f19449768a9da47c8c7759a14e0de4b84e..a97fba73a3e92541326986e37755a116ab0c9b49 100644
--- a/modules/core/lib/Auth/UserPassBase.php
+++ b/modules/core/lib/Auth/UserPassBase.php
@@ -233,12 +233,6 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
 		assert('is_string($username)');
 		assert('is_string($password)');
 
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
-
 		/* Here we retrieve the state array we saved in the authenticate-function. */
 		$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
 
diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php
index 1ffdb53baa19eabca6c70d339d2a49035b44a152..7bbddf24fc3973c860b39060a888167568863f61 100644
--- a/modules/core/lib/Auth/UserPassOrgBase.php
+++ b/modules/core/lib/Auth/UserPassOrgBase.php
@@ -208,12 +208,6 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
 		assert('is_string($password)');
 		assert('is_string($organization)');
 
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
-
 		/* Retrieve the authentication state. */
 		$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
 
@@ -262,12 +256,6 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
 	public static function listOrganizations($authStateId) {
 		assert('is_string($authStateId)');
 
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
-
 		/* Retrieve the authentication state. */
 		$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
 
diff --git a/modules/core/www/idp/logout-iframe-done.php b/modules/core/www/idp/logout-iframe-done.php
index fe69f40076e4e2e1d4a7bd694de316c56dc338c0..eeb4f2b0a85bff2308da13808d4dc7ee4557f823 100644
--- a/modules/core/www/idp/logout-iframe-done.php
+++ b/modules/core/www/idp/logout-iframe-done.php
@@ -3,15 +3,7 @@
 if (!isset($_REQUEST['id'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing required parameter: id');
 }
-$id = (string)$_REQUEST['id'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame');
 $idp = SimpleSAML_IdP::getByState($state);
 
 $associations = $idp->getAssociations();
diff --git a/modules/core/www/idp/logout-iframe.php b/modules/core/www/idp/logout-iframe.php
index e2a136e4c0dbd86b3782881fa4fd8b0aaa1ae11b..670d3305229650422c44f9a52842e1e162d1098f 100644
--- a/modules/core/www/idp/logout-iframe.php
+++ b/modules/core/www/idp/logout-iframe.php
@@ -3,7 +3,6 @@
 if (!isset($_REQUEST['id'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing required parameter: id');
 }
-$id = (string)$_REQUEST['id'];
 
 if (isset($_REQUEST['type'])) {
 	$type = (string)$_REQUEST['type'];
@@ -19,13 +18,7 @@ if ($type !== 'embed' && $type !== 'async') {
 	SimpleSAML_Stats::log('core:idp:logout-iframe:page', array('type' => $type));
 }
 
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame');
 $idp = SimpleSAML_IdP::getByState($state);
 
 if ($type !== 'init') {
diff --git a/modules/core/www/idp/resumelogout.php b/modules/core/www/idp/resumelogout.php
index 0077909f57c9af25a94ad6fe81ce2611b036a377..7a524f61bd5667cd5e99f16dba6331ce24523a74 100644
--- a/modules/core/www/idp/resumelogout.php
+++ b/modules/core/www/idp/resumelogout.php
@@ -3,15 +3,7 @@
 if (!isset($_REQUEST['id'])) {
 	throw new SimpleSAML_Error_BadRequest('Missing id-parameter.');
 }
-$id = (string)$_REQUEST['id'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout:afterbridge');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout:afterbridge');
 $idp = SimpleSAML_IdP::getByState($state);
 
 $assocId = $state['core:TerminatedAssocId'];
diff --git a/modules/core/www/loginuserpass.php b/modules/core/www/loginuserpass.php
index 35994ed6d23e9bc147c895673f7ba93ed48cb8b0..4ce0f93e66dca80463268a4d82b83c8bbb584778 100644
--- a/modules/core/www/loginuserpass.php
+++ b/modules/core/www/loginuserpass.php
@@ -9,21 +9,13 @@
  * @package simpleSAMLphp
  */
 
+/* Retrieve the authentication state. */
 if (!array_key_exists('AuthState', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
 }
 $authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-/* Retrieve the authentication state. */
 $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassBase::STAGEID);
 
-
 $source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassBase::AUTHID]);
 if ($source === NULL) {
 	throw new Exception('Could not find authentication source with id ' . $state[sspmod_core_Auth_UserPassBase::AUTHID]);
diff --git a/modules/core/www/loginuserpassorg.php b/modules/core/www/loginuserpassorg.php
index fa6a47280deb740d3543c6e2fa0c69aacd3f6a6b..ad4ba44b04b2bf7c2ace3de4cf47e10c57e05d95 100644
--- a/modules/core/www/loginuserpassorg.php
+++ b/modules/core/www/loginuserpassorg.php
@@ -9,18 +9,11 @@
  * @package simpleSAMLphp
  */
 
+/* Retrieve the authentication state. */
 if (!array_key_exists('AuthState', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
 }
 $authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-/* Retrieve the authentication state. */
 $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassOrgBase::STAGEID);
 
 $source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassOrgBase::AUTHID]);
diff --git a/modules/core/www/short_sso_interval.php b/modules/core/www/short_sso_interval.php
index 6536631ab7a9c1ce1dc776e1925c2f032f0c72ff..5e225bfbfb1c276f07ed6fca0290e909852c69c0 100644
--- a/modules/core/www/short_sso_interval.php
+++ b/modules/core/www/short_sso_interval.php
@@ -9,15 +9,7 @@
 if (!array_key_exists('StateId', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-
 $id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
 $state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
 $session = SimpleSAML_Session::getSessionFromRequest();
 
diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php
index c141a4a2a2b38a67d62b3315b0e82ab39428e939..37038527b5a3fb0888ad0ec0d2c460409ad86ca2 100644
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@@ -183,19 +183,12 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
 		if (!isset($_REQUEST['State'])) {
 			throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
 		}
-		$stateId = (string)$_REQUEST['State'];
-
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($stateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
 
 		/*
 		 * Once again, note the second parameter to the loadState function. This must
 		 * match the string we used in the saveState-call above.
 		 */
-		$state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
+		$state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External');
 
 		/*
 		 * Now we have the $state-array, and can use it to locate the authentication
diff --git a/modules/exampleauth/www/authpage.php b/modules/exampleauth/www/authpage.php
index 819cc2c2895f24376ce32e37582a9eb101f5c302..7b3dca26748ff1754560bef07f4fa7ad39440d0e 100644
--- a/modules/exampleauth/www/authpage.php
+++ b/modules/exampleauth/www/authpage.php
@@ -29,15 +29,7 @@ $returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']);
 if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
 	die('Invalid ReturnTo URL for this example.');
 }
-$stateId = urldecode($matches[1]);
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
+SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External');
 
 /*
  * The loadState-function will not return if the second parameter does not
diff --git a/modules/exampleauth/www/redirecttest.php b/modules/exampleauth/www/redirecttest.php
index 03ed359e3d5495fd6cffc95b378ca663fe3d29a2..147051cd1de971505380c973350d6af08bd78817 100644
--- a/modules/exampleauth/www/redirecttest.php
+++ b/modules/exampleauth/www/redirecttest.php
@@ -10,16 +10,7 @@
 if (!array_key_exists('StateId', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-
-$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'exampleauth:redirectfilter-test');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'exampleauth:redirectfilter-test');
 
 $state['Attributes']['RedirectTest2'] = array('OK');
 
diff --git a/modules/expirycheck/www/about2expire.php b/modules/expirycheck/www/about2expire.php
index 551a18c56ac58d6e27bd2c567ea584dde5fbb4e0..9531fcbda333742f501e83650aaf4e87655f2c4b 100644
--- a/modules/expirycheck/www/about2expire.php
+++ b/modules/expirycheck/www/about2expire.php
@@ -11,18 +11,9 @@ SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near t
 if (!array_key_exists('StateId', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-
 $id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
 $state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire');
 
-
 if (array_key_exists('yes', $_REQUEST)) {
 	/* The user has pressed the yes-button. */
 	SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
diff --git a/modules/expirycheck/www/expired.php b/modules/expirycheck/www/expired.php
index 69fb16dc8df585d1491a8b5612082919ec666769..5be027e09517d7d12ecce5661c9288f01fc78e99 100644
--- a/modules/expirycheck/www/expired.php
+++ b/modules/expirycheck/www/expired.php
@@ -11,16 +11,7 @@ SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near t
 if (!array_key_exists('StateId', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-
-$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:expired');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'expirywarning:expired');
 
 $globalConfig = SimpleSAML_Configuration::getInstance();
 
diff --git a/modules/multiauth/www/selectsource.php b/modules/multiauth/www/selectsource.php
index ecd76211545e3637c2855801de94441571281ea1..8881d86ec0d777c31ee4f144cf2154aad35dce1a 100644
--- a/modules/multiauth/www/selectsource.php
+++ b/modules/multiauth/www/selectsource.php
@@ -10,18 +10,11 @@
  * @package simpleSAMLphp
  */
 
+/* Retrieve the authentication state. */
 if (!array_key_exists('AuthState', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
 }
 $authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-/* Retrieve the authentication state. */
 $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_multiauth_Auth_Source_MultiAuth::STAGEID);
 
 if (array_key_exists("SimpleSAML_Auth_Default.id", $state)) {
diff --git a/modules/negotiate/www/backend.php b/modules/negotiate/www/backend.php
index 0292d247a3ce5458231c38f4413211c79aae15b1..7348fd98fb7c2cf3e4595652f57c0b2c558ffdc2 100644
--- a/modules/negotiate/www/backend.php
+++ b/modules/negotiate/www/backend.php
@@ -8,15 +8,7 @@
  * @package simpleSAMLphp
  */
 
-$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
 SimpleSAML_Logger::debug('backend - fallback: '.$state['LogoutState']['negotiate:backend']);
 
 sspmod_negotiate_Auth_Source_Negotiate::fallBack($state);
diff --git a/modules/negotiate/www/retry.php b/modules/negotiate/www/retry.php
index a659c61fc6c7e732492aab75c2283417d47705e1..23d51c2dff86b242792caf50f03ce079a8985baf 100644
--- a/modules/negotiate/www/retry.php
+++ b/modules/negotiate/www/retry.php
@@ -8,15 +8,7 @@
  * @package simpleSAMLphp
  */
 
-$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
 
 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 $idpid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted', 'metaindex');
diff --git a/modules/preprodwarning/www/showwarning.php b/modules/preprodwarning/www/showwarning.php
index 43a07cff0d4b6afca49d545c3d4be6f3e8ebf379..7be7493c3a29b09d8308750ff7285a0f4c09b10e 100644
--- a/modules/preprodwarning/www/showwarning.php
+++ b/modules/preprodwarning/www/showwarning.php
@@ -12,15 +12,7 @@ SimpleSAML_Logger::info('PreProdWarning - Showing warning to user');
 if (!array_key_exists('StateId', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
 }
-
 $id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
 $state = SimpleSAML_Auth_State::loadState($id, 'warning:request');
 
 
diff --git a/modules/saml/www/sp/discoresp.php b/modules/saml/www/sp/discoresp.php
index 5d6d55bb7b0b12be7d0999ff638f24f8ada4a65d..a10c5ecd106ec59ccf3fe273b7b13548f96fd8da 100644
--- a/modules/saml/www/sp/discoresp.php
+++ b/modules/saml/www/sp/discoresp.php
@@ -11,16 +11,7 @@ if (!array_key_exists('AuthID', $_REQUEST)) {
 if (!array_key_exists('idpentityid', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing idpentityid to discovery service response handler');
 }
-
-$stateID = $_REQUEST['AuthID'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateID);
-if (!is_null($sid['url'])) {
-	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthID'], 'saml:sp:sso');
 
 /* Find authentication source. */
 assert('array_key_exists("saml:sp:AuthId", $state)');
diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index de98e34915031a54a1821e1b9911ae2ac5a9a42c..a8d1dc7246250bbfd86b7781c267f172ddf0a27a 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -33,15 +33,7 @@ if (preg_match('@^https?://@i', $target)) {
 		'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($target),
 	);
 } else {
-	$stateID = $_REQUEST['TARGET'];
-
-	// sanitize the input
-	$sid = SimpleSAML_Utilities::parseStateID($stateID);
-	if (!is_null($sid['url'])) {
-		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-	}
-
-	$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
+	$state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:sso');
 
 	/* Check that the authentication source is correct. */
 	assert('array_key_exists("saml:sp:AuthId", $state)');
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index b9fb760b18cc7e648186d2336af2f69230412e4a..d22286278f1a57de3cfde0ea02c395937bf46c3a 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -56,13 +56,6 @@ $idpMetadata = array();
 
 $stateId = $response->getInResponseTo();
 if (!empty($stateId)) {
-
-	// sanitize the input
-	$sid = SimpleSAML_Utilities::parseStateID($stateId);
-	if (!is_null($sid['url'])) {
-		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-	}
-
 	/* This is a response to a request we sent earlier. */
 	$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
 
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index b39f3bff0c96c8bbfb7ce0cc01dc5033dc607ef3..d3898e779b4d558239ab8f31d5787b15380b1158 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -54,12 +54,6 @@ if ($message instanceof SAML2_LogoutResponse) {
 		SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message));
 	}
 
-	// sanitize the input
-	$sid = SimpleSAML_Utilities::parseStateID($relayState);
-	if (!is_null($sid['url'])) {
-		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-	}
-
 	$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent');
 	$state['saml:sp:LogoutStatus'] = $message->getStatus();
 	SimpleSAML_Auth_Source::completeLogout($state);