Session Lost After Payment Redirect |
Hi there,
I don't know if it is a bug or not but I am on local and I have added a payment system on a project. It works fine except for the success part. If the transaction is successful the 3rd party payment system, which I am using, tries to redirect to my result page. (If the message from the 3rd party is success I will display "oh thank you etc", if not I am going to display "there is ... failure etc", you know...) However, when it redirects to my result page the session is lost, even though I had already signed in, and my own system redirects me to my login screen. My Route: This get route with filter doesn't redirect to the page when coming from the payment system: PHP Code: $routes->get('/{locale}/user-area/(:num)/my-cart/payment-result/(:num)/', 'UserAreaController::my_cart_payment_result', ['filter' => 'myUserAreaFilter']); If I change the route type to match and surpass my filter, it works but without session : PHP Code: $routes->match(['get','post'],'/{locale}/user-area/(:num)/my-cart/payment-result/(:num)/', 'UserAreaController::my_cart_payment_result'); My Filter: PHP Code: public function before(RequestInterface $request, $arguments = null) { My Controller: PHP Code: $session = \Config\Services::session(); So, how can I keep my session data even after the redirect coming from the payment system?
Session breaks due to CORS policy. Try setting in Config/Cookie SameSite=None instead of Lax
And search on google about this cookie feature (07-05-2022, 05:15 AM)ozornick Wrote: Session breaks due to CORS policy. Try setting in Config/Cookie SameSite=None instead of Lax Thank you @ozornick , I have read some pages. Well, then it might not be so secure, right? So, how do you deal with such an issue? Allowing some sites via htacces etc?
It seems the payment system is using POST request, and the cookie with SameSite=Lax is not sent via POST request from other sites.
Why don't you ask the payment system provider?
Thanks for the comment @kenjis , Checking local forums here I found a solution to add this line on top of the payment page. It worked. What do you think, does it sound safe?
PHP Code: header('Set-Cookie: ' . session_name() . '=' . session_id() . '; SameSite=None; Secure', false);
The normal workflow is like this:
1) the payment page --> 2) Payment system --> 3) thank you page It seems no problem that setting SameSite=None in 1) and reverting SameSite in 3). But if a user stops at 2) and goes back your site directly (for example, type URL in the browser or create a new tab), you miss to revert SameSite, and the user has more risk than SameSite=Lax until the session cookie is updated. |
Welcome Guest, Not a member yet? Register Sign In |