Session destroyed when returning from external link

Hi
I have a CI4 app where I use a very basic auth system
This ci4 application is located in a subdomain
I login the user and store some vars in session, etc.



Somewhere in the codeigniter app, I show a button to the user which opens (in new tab) a payment processor website.
This payment processor has some settings like return_fail_url and/or return_success_url

When user pays successfuly, it returns to my ci4 return_success_url
If user cancels the payment, it returns to my ci4 return_fail_url

The problem I'm having is that when user returns from the payment processor website (success or fail), all the session data is lost
User has to login again



I thought about debugbar. I disabled it but this behaviour keeps happenning

Any idea how to solve or debug this?

Thanks

Enrique
https://beza.com.ar

Investigate "samesite cookie".

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

Investigate "samesite cookie".

Hi
I've done the research, but cannot make the cookie to be set to None in the browser

I've set the following into my .env file

Code:

#--------------------------------------------------------------------
# SESSION
#--------------------------------------------------------------------

app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
app.sessionCookieName = 'cidisession'
app.sessionExpiration = 7200
# app.sessionSavePath = null
app.sessionMatchIP = false
app.sessionTimeToUpdate = 300
app.sessionRegenerateDestroy = false

#--------------------------------------------------------------------
# COOKIE
#--------------------------------------------------------------------

cookie.prefix = ''
cookie.expires = 0
cookie.path = '/'
cookie.domain = ''
cookie.secure = true
cookie.httponly = false
cookie.samesite = 'None'
cookie.raw = false

I've also set same options/values in
app\Config\Cookie.php
app\Config\Security.php
app\Config\App.php

But browser keeps setting it to Strict
(I've tested all after setting options and session keeps being destroyed upon returning from payment platform)

Enrique
https://beza.com.ar

Code:

cookie.secure = true
cookie.samesite = 'None'

PHP Code:

<?php

namespace App\Controllers;

class Home extends BaseController
{
    public function index()
    {
        session();
    }
} 


ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

By the way, cookie.samesite = 'None' is the lowest security level.
So it is better not to use as much as possible.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

EDIT: I could finally solve the issue. There was a f.... line hidden in some apache config file which looks like I've commented previously. Commented it again and now it is working

Code:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Thanks a lot for all the clarifications

Code:

#--------------------------------------------------------------------
# SESSION
#--------------------------------------------------------------------

app.sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'
app.sessionCookieName = 'mysessiontest'
app.sessionExpiration = 7200
app.sessionSavePath = '/var/www/subdomains/mysubdomain/writable/session/'
app.sessionMatchIP = false
app.sessionTimeToUpdate = 300
app.sessionRegenerateDestroy = false

#--------------------------------------------------------------------
# COOKIE
#--------------------------------------------------------------------

cookie.prefix = ''
cookie.expires = 0
# cookie.path = '/'
cookie.domain = ''
cookie.secure = true
cookie.httponly = false
cookie.samesite = 'None'
cookie.raw = false

Thanks again

Enrique
https://beza.com.ar