During checkout, my customer is redirected to an external payment page, from my bank, to enter his payment information.

From this page, customer can either validate the payment or cancel.

Cancellation redirects to my website with a POST, while a redirection after validation redirect to my website with a GET.

GET redirection to my website works well.

POST redirection to my website generates a new PHPSESSID, so my customer looses his session (in other words, he looses his cart and is disconnected).

It seems to be linked to some new security standards with samesite set to Lax for PHPSESSID

https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie/SameSite

it is easy to reproduce if you create this HTML on your local PC:

<HTML>
<BODY>
<form action="https://yourwebsite.fr" method="GET">
<input type="submit" value="Submit">
</form>
</BODY>
</HTML>

if you first go to your website so a PHPSESSID is generated, then open this local file with chrome, and then press "submit" button, it will redirect to your website with same PHPSESSID, but if you now replace GET by POST:

<HTML>
<BODY>
<form action="https://yourwebsite.fr" method="POST">
<input type="submit" value="Submit">
</form>
</BODY>
</HTML>

 refresh your local page, then press 'submit' button, you will get a new PHPSESSID!

and so you'll be anonymous till you reconnect.

I know it is expected behavior because of Lax, so my question is how to have PHPSESSID being "Secure;SameSite='None'" instead of "SameSite=Lax'

I'm using nginx so tried things like this:

proxy_cookie_path / "/; SameSite=strict; secure; httponly ";
add_header Set-Cookie "Path=/; SameSite=strict; secure; httponly ";
proxy_cookie_path ~(.*) "$1; SameSite=strict; secure; httponly";

but it does not change any cookie configuration.

any idea where to make the change?

in php.ini? nginx? magento config?

thanks