Welcome Guest, Not a member yet? Register   Sign In
Session Lost After Payment Redirect
#1

(This post was last modified: 07-05-2022, 05:04 AM by demyr.)

Hi there,

I don't know if it is a bug or not but I am on local and I have added a payment system on a project. It works fine except for the success part. If the transaction is successful the 3rd party payment system, which I am using, tries to redirect to my result page. (If the message from the 3rd party is success I will display "oh thank you etc", if not I am going to display "there is ... failure etc", you know...)

However, when it redirects to my result page the session is lost, even though I had already signed in, and my own system redirects me to my login screen.

My Route:

This get route with filter doesn't redirect to the page when coming from the payment system:
PHP Code:
$routes->get('/{locale}/user-area/(:num)/my-cart/payment-result/(:num)/''UserAreaController::my_cart_payment_result', ['filter' => 'myUserAreaFilter']); 

If I change the route type to match and surpass my filter, it works but without session :

PHP Code:
$routes->match(['get','post'],'/{locale}/user-area/(:num)/my-cart/payment-result/(:num)/''UserAreaController::my_cart_payment_result'); 

My Filter:
PHP Code:
public function before(RequestInterface $request$arguments null) {
        $locale service('request')->getLocale();
        $msg 'Sign in First Please';

        $session = \Config\Services::session();
        $session_info $session->user_email;
          if($session_info ==''){
            $session->setFlashdata('error'$msg);
            return redirect()->to(site_url($locale.'/login'));
          }

    }//before ends 


My Controller:
PHP Code:
        $session = \Config\Services::session();
        $session_info $session->user_email;

        // I obtain user_id checking user in the session and then I use it in my controller wherever I need

        if($session_info !=''){
           $data['user'] = $this->SiteLib->UserModel->check_if_user_exists($session_info);
           $user_id $data['user']->user_id;
        



So, how can I keep my session data even after the redirect coming from the payment system?
Reply
#2

Session breaks due to CORS policy. Try setting in Config/Cookie SameSite=None instead of Lax

And search on google about this cookie feature
Reply
#3

(07-05-2022, 05:15 AM)ozornick Wrote: Session breaks due to CORS policy. Try setting in Config/Cookie SameSite=None instead of Lax

And search on google about this cookie feature

Thank you @ozornick , I have read some pages. Well, then it might not be so secure, right? So, how do you deal with such an issue? Allowing some sites via htacces etc?
Reply
#4

It seems the payment system is using POST request, and the cookie with SameSite=Lax is not sent via POST request from other sites.

Why don't you ask the payment system provider?
Reply
#5

Thanks for the comment @kenjis , Checking local forums here I found a solution to add this line on top of the payment page. It worked. What do you think, does it sound safe?

PHP Code:
header('Set-Cookie: ' session_name() . '=' session_id() . '; SameSite=None; Secure'false); 
Reply
#6

The normal workflow is like this:
1)  the payment page --> 2) Payment system --> 3) thank you page

It seems no problem that setting SameSite=None in 1) and reverting SameSite in 3).

But if a user stops at 2) and goes back your site directly (for example, type URL in the browser or create a new tab),
you miss to revert SameSite, and the user has more risk than SameSite=Lax until the session cookie is updated.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB