0

I have a website running on JSP that is using an external service for payment. When a user pays they are redirected to an external url and when payment is finished they return. My problem is that sometimes (about 70% of the time) when the user returns, the session is lost (JSP creates a new empty session). This problem does not occur in Firefox or IE11.

I have confirmed that the server IP stays the same before and after the session changes so the load balancer is not the problem. I have also confirmed that response.encodeURL and response.encodeRedirectURL are used (the before/after URLs are equal) so the browser should have no problem with the cookie.

The website and the external service are both running on https, so the cookie setting should also not cause any problems.

Does anyone have an idea on what could cause this problem? The code is literally just (except that the return_to is url-encoded).

response.sendRedirect("https://paymentservice.com/pay?token=asd&return_to=https://mywebsite.com/finishtransaction.jsp");

The session is configured as sticky and only external links like the one above reset the session. I could not reproduce the problem with an URL shortener (tinyurl):

<%
  out.println(session.getId() + "<br>");
  out.println(request.getParameter("step") + "<br>");
%>
<script type="text/javascript">
  function redirect_window(redirectUrl){
    if((window.opener && !window.opener.closed)){
      window.opener.location.href = redirectUrl;
      window.open('about:blank','_self').close();
    }else{
      window.close();
      location.href=redirectUrl;
    }
  }

  setTimeout(function() {
    <c:if test="${param.step == null}">
    var options;
    if (navigator.appName.charAt(0)=='M'){
        options = "fullscreen=1,scrollbars=yes";
    }else if (navigator.appName.charAt(0)=='N'){
        options = "left=0,top=0"
                + ",width=" + screen.width
                + ",height=" + screen.height
                + ",scrollbars=yes";
    }
    window.open("/test_session.jsp?step=1","test",options);
    </c:if>
    <c:if test="${param.step == 1}">
    redirect_window("/test_session.jsp?step=2");
    </c:if>
  }, 3000);

</script>
sollniss
  • 1,895
  • 2
  • 19
  • 36
  • have you checked the session timeout value? (from tomcat) you don't necesarily need cookies. Sessions can last 30 or 40 minutes of inactivity. – Sergio Mar 07 '21 at 03:29

1 Answers1

0

I was facing similar problem. There can be two main reasons

  1. Here I got the solution. Actually google chrome searches for favicon.ico when returning from external URL. Make sure the .ico file available and accessible if set on page. 1: Session data lost in Chrome only

  2. HttpCookie.SameSite Property. Google has updated their properties. Read Here Update cookie setting method and try. Hope it will help. Example in php

      $cookie_options = array(
   'expires' => time() + 60*60*24*30,
   'path' => '/',
   'domain' => '.domain.com', // leading dot for compatibility or use subdomain
   'secure' => true, // or false
   'httponly' => false, // or false
   'samesite' => 'None' // None || Lax || Strict
  );
  setcookie('cors-cookie', 'my-site-cookie', $cookie_options);
Bholu Bhaiya
  • 167
  • 1
  • 1
  • 12
  • The favicon is set properly and Chrome returns a 200OK, but there are some other resources returning a 404 that could cause this problem. My question is though, on the top page I also have a missing image file for a banner, so shouldn't Chrome reset the session every time the top page is opened? – sollniss Mar 04 '21 at 07:20
  • This link will help you https://www.chromium.org/updates/same-site/test-debug#TOC-Testing-your-site SameSite Updates is the root of the problem. Set 'samesite' => 'None' // None || Lax || Strict in cookies. https://stackoverflow.com/questions/58191969/how-to-fix-set-samesite-cookie-to-none-warning – Bholu Bhaiya Mar 06 '21 at 10:32