2

I am using CI version 3.1.13 and PHP 7.4.33 to develop my webapp. I am using CyberSource payment gateway for online payments, but when user is getting redirected back from CyberSource to the webapp then the session is getting lost.

Below is the process

User Login => Select Package => Enter credit card details (POST data to CyberSource) => Redirect back from CyberSource POST data (now user login session is lost and user is redirected back to the login page due to lost session)

I have faced this issue 2 times in the past but wasn't able to find any promising solution and have to apply custom patch to resolve this (saving serialized session array to a temp database table and retrieving the session array from the temporary table if the session is lost)

Below is what I have tried so far without any proper resolution

  • https://stackoverflow.com/a/50792059/1835912 Go to system/libraries/Session/session.php at Line no 281 and replace ini_set('session.name', $params['cookie_name']); by ini_set('session.id', $params['cookie_name']); this resolves the issue in FireFox but not in Chrome
  • https://stackoverflow.com/a/66354648/1835912 You should use SameSite=None on your cookies attributes. Also if you use SameSite=None you should set the secure cookies attribute as well.
  • $config['cookie_secure'] = FALSE; // if is not under https, or true if you use https
  • $config['cookie_path'] = '/;SameSite=None';$config['cookie_secure'] = TRUE;
  • Tried changing PHP version to 7.1, 7.2, 7.3 and 8.1 (same issues for all these versions)
  • My webapp runs on secure protocol HTTPS and the cybersource return URL also has HTTPS
  • Followed this step by step youtube video: https://www.youtube.com/watch?v=j6jBxlrhTY4

Do anyone know any proper resolution for this, thanks in advance!

Nishant Solanki
  • 2,119
  • 3
  • 19
  • 32

2 Answers2

1

I am 99% sure the issue is that!

$config['cookie_secure'] =true; // must be true for samesite=none to work, can't have it off.

If that doesnt fix it you have more issues, the issue remaining other than that is your session domain. Maybe the redirect comes to a www or no-www version and cookies are by default set on the subdomain level and session relies on cookie. So if I am correct you can do one of the things:

  1. fix the redirect issue to be identical domain and protocol [recommended]
  2. set session domain scope to a dot leading root domain. '.domain.com'

This is assuming your other settings are right I would start by relaxing the strictions to debug:

  1. Samesite=None

  2. Cookie.Secure=True (SameSite=none requires secure to be one!)

  3. Everything should be on HTTPS and it seems your trying without, the payment gateway should have given you an error and it is not. They would be in violation of PCR Compliance. Even if you don't have an implementation that causes that to be a risk they just don't specially if they have any recurring payment/user management/CRM, etc...

Neo
  • 11,078
  • 2
  • 68
  • 79
0

https://stackoverflow.com/a/66354648/6934036 may help.
In my case, it wasn't related to PHP version or the above solution.
cookies are set via Set-Cookie header, when user redirect from the payment gateway to my site, there was no Set-Cookie so I couldn't authenticate user or access to any other cookies, I had to allow unauthenticated users to access the payment result page.

What I did was show the payment result page contains a link to access payment detail page to the user, after user redirect from payment result page to payment details page (with a link or automatically), I could access to cookies and authorize the user.

Mohammad Salehi
  • 565
  • 1
  • 12
  • 33