Skip to content

PHPSESSID cookie lost after redirect

My website redirects user to the payment Gateway page. Once the user has completed the payment, they are redirected back to my website receipt page process.php. Please note that user redirects away from and return to https page. website URL is exactly the same i.e: user redirects away from https://website.com/payment.php to Payment Gateway and then back to https://website.com/process.php?para1=true&para2=true

session_start();
print_r($_COOKIE);
print_r($_SESSION);

What i get is this:

    Array(
        [lang] => en
        [theme] => light
        [timezone] => Asia/Baghdad
    )
    Array(
    )

What I expect to get is this:

    Array(
        [lang] => en
        [theme] => light
        [timezone] => Asia/Baghdad
        [PHPSESSID] => 2b656f9120*********6fd1817316
    )
    Array(
        [nonce] => 68e56bb********f2253529e09bf3f
        [userID] => 1
        [last_error] => 
        [last_success] =>
    )

Things i’ve tried:

  1. Failed to recreate issue by redirecting user to another website that i own and redirecting them back to process.php
  2. Tried redirecting user landed on process.php again to process.php
  3. On another tab when I refresh any other page on my website, the PHPSESSID comes back. Refreshing process.php after refreshing other page makes PHPSESSID to appear again.
  4. This is only happening when the Payment Gateway redirects user back to my website. Redirecting from any other website using header("Location: website.com/process.php") does not reproduce the issue.

Advertisement

Answer

Do you have something like this in your apache config?

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Changing Strict to Lax should solve your issue:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax

See also https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

Try changing the defaults for session_start():

$secure = true; // if you only want to receive the cookie over HTTPS
$httponly = true; // prevent JavaScript access to session cookie
$samesite = 'lax';

if (PHP_VERSION_ID < 70300) {
    session_set_cookie_params($maxlifetime, '/; samesite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
} else {
    session_set_cookie_params([
        'lifetime' => $maxlifetime,
        'path' => '/',
        'domain' => $_SERVER['HTTP_HOST'],
        'secure' => $secure,
        'httponly' => $httponly,
        'samesite' => $samesite
    ]);
}

See also https://www.php.net/manual/de/function.session-set-cookie-params.php#125072

User contributions licensed under: CC BY-SA
5 People found this is helpful