Depends on the language you are using, and your server architecture.
Most programming languages for web, will suggest or provide a session management solution. It’s up to you to take that provided structure and create a secure method of maintaining a login to a site.
You’ll even find the a CMS you are using provides it, and all you need to do with the oAuth redirect is create a user, using the createUser function in said CMS, and call the login/sessionState function for the newly created or looked up user.
However you want, if you need a state and want to use a state then do so, it’s not required. It’s benefical for passing data via Twitch back to you, like a temporary session ID (generated by your session manager) or something more “simple” like the redirect destination after login (complete login then redirect to the post on a forum the user wanted to reply to for example).
There is no rule or official way to generate a state string.
That’s what I do quite often