cancel
Showing results for 
Search instead for 
Did you mean: 

external redirect with POST generates new PHPSESSID

external redirect with POST generates new PHPSESSID

During checkout, my customer is redirected to an external payment page, from my bank, to enter his payment information.

From this page, customer can either validate the payment or cancel.

Cancellation redirects to my website with a POST, while a redirection after validation redirect to my website with a GET.

GET redirection to my website works well.

POST redirection to my website generates a new PHPSESSID, so my customer looses his session (in other words, he looses his cart and is disconnected).

 

It seems to be linked to some new security standards with samesite set to Lax for PHPSESSID

https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie/SameSite

 

it is easy to reproduce if you create this HTML on your local PC:

 

<HTML>
<BODY>
<form action="https://yourwebsite.fr" method="GET">
<input type="submit" value="Submit">
</form>
</BODY>
</HTML>

 

 

if you first go to your website so a PHPSESSID is generated, then open this local file with chrome, and then press "submit" button, it will redirect to your website with same PHPSESSID, but if you now replace GET by POST:

 

<HTML>
<BODY>
<form action="https://yourwebsite.fr" method="POST">
<input type="submit" value="Submit">
</form>
</BODY>
</HTML>

 

 refresh your local page, then press 'submit' button, you will get a new PHPSESSID!

and so you'll be anonymous till you reconnect.

 

I know it is expected behavior because of Lax, so my question is how to have PHPSESSID being "Secure;SameSite='None'" instead of "SameSite=Lax'

 

I'm using nginx so tried things like this:

proxy_cookie_path / "/; SameSite=strict; secure; httponly ";
add_header Set-Cookie "Path=/; SameSite=strict; secure; httponly ";
proxy_cookie_path ~(.*) "$1; SameSite=strict; secure; httponly";

 

but it does not change any cookie configuration.

any idea where to make the change?

in php.ini? nginx? magento config?

 

thanks

 

 

2 REPLIES 2

Re: external redirect with POST generates new PHPSESSID

Hi @webrod,

 

Client session loss mostly occurs when redirecting from an external checkout page to Magento. Paypal has a pretty good method you can try it.

 

Use after plugin to handle:

<type name="Magento\Framework\Session\SessionStartChecker">
        <plugin name="transparent_session_checker" type="Name\Module\Plugin\TransparentSessionChecker"/>
</type>

Please refer to this link for more information about code processing. 

 

Hope this can help you! Let me know if you need further assistance.

___________

If issue solved, Click Kudos & Accept as Solution.

Marcus | LitExtension Expert
https://litextension.com/

Re: external redirect with POST generates new PHPSESSID

Hi @webrod,

 

Hope this can help you! Let me know if you need further assistance.

Marcus | LitExtension Expert
https://litextension.com/