I have a Laravel site that redirects to a payment provider (external third party website). When the user completes their payment, they are redirected back to my site via a POST request.
The issue I’m having is that the user’s session is lost when they return to the confirmation page.
I wondered if this was behaviour of PHP generally but it seems to be specific to Laravel.
I have checked my sessions.php config file and can confirm the following is set 'expire_on_close' => false,.
I’ve created a very basic example of the issue below
My website (pre-sale)
Controller
public function redirect()
{
$user = Auth::user();
dd($user); // returns User model;
redirect()->away('http://www.example.com');
}
Payment provider website
Note, the request is sent via the application within the browser – not a callback. There is also no button. I just want to demonstrate the POST back to the Laravel site.
<html>
<head></head>
<body>
<form method="POST" action="http://www.example.com/payment/confirmation">
<input type="submit">
</form>
</body>
</html>
My website (post-sale)
Route
Route::post('/payment/confirmation', 'PaymentPaymentController@confirmation');
Controller
public function confirmation()
{
$user = Auth::user();
dd($user); // Returns null
}
I have added the path to the VerifyCsrfToken middleware’s exception array. Is there anything within Laravel that would destroy the session on POSTing via an external website? I’m sure I’m missing something obvious. Thanks
Advertisement
Answer
I was able to resolve this issue by changing 'same_site' => 'lax', to 'same_site' => null, in config/session.php. This appears to be a new setting in Laravel 7+.
I’m not sure if there are any security implications caused by this change without further reading but this, for now, fixes the problem. It would be a nice feature to somehow whitelist certain domains.