PHP 7.3.23 with CI 4.0.4 I am redirecting to ccavenue payment gateway after the payment is done, the session data is lost. And it shows message in console as:
"Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute." Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
You most likely do want to keep your session cookies set to
SameSite=Laxfor improved protection against CSRF attacks. It sounds as if your payment gateway sends aPOSTrequest to return the user to your site.You should either:
Process that returning request without the session cookie. e.g. that request should have everything in the payload for you to determine if the transaction was a success. You can then show a status page or similar with links to allow the user to continue to other pages. Following any of those links will be a same-site navigation and will include your session cookies again.
Use the
POST/Redirect/GETpattern, where you process the incomingPOSTrequest to extract the details from it, then perform a redirect to another page on your site, thatGETrequest is a same-site request and your session cookies will be available again.I've also explained this here: https://goo.gle/samesite-3d-secure