Laravel Session and Auth clears after redirection from Payment Gateway

Question

I am using Laravel 7 and using PayTabs payment gateway for payments. When the user is redirected back from the Paytabs, all the sessions and Auth are cleared.

Before redirecting to the Paytabs, im saving the session when the data is put in the session. as

Session::put('data', $data);
Session::save();

And the redirection to Paytabs is as follows:

if ($response->response_code == "4012") { //Page created
    return redirect()->to($response->payment_url);
} else {
    abort(404);
}

I have also excluded the return url from CSRF Token check as follow:

VerifyCsrfToke.php

protected $except = [
   '/paytab_return'
];

Also I have checked that the Paytabs redirects to the correct URL with https and www.

Favor needed to tackle this issue. Thanks

Answer 1

This worked for Laravel 6.19.1:

1. I added a GET variable to my success, error or cancelUrls of the payment gate
2. This variable was called exactly the same as the name of the session cookie

$sessionKey = config('session.cookie') . '=' . session()->getId();
$successUrl = route('wirecardSuccess') . '?' . $sessionKey;

The URL I'd got is e.g.

http://beatbox.vnr:8082/vnr/payment/wirecard/success?self_service_local_vnr_session=qNSQ7SessionIdtEA3Z72ReuvgsFt

as the url, where self_service_local_vnr_session is my session cookie name and qNSQ7SessionIdtEA3Z72ReuvgsFt the ID of the current session.

3. Then I needed to extend the StartSession Middleware with this code

<?php

declare(strict_types=1);

namespace App\Http\Middleware;

use Illuminate\Contracts\Session\Session;
use Illuminate\Http\Request;

/**
 * Class StartSession
 * @package App\Http\Middleware
 */
class StartSession extends \Illuminate\Session\Middleware\StartSession
{
    /**
     * Get the session implementation from the manager.
     *
     * @param Request $request
     * @return Session
     */
    public function getSession(Request $request): Session
    {
        return tap($this->manager->driver(), static function ($session) use ($request) {

            $sessionCookieName = config('session.cookie');

            if ($request->has($sessionCookieName)) {
                $sessionId = $request->input($sessionCookieName);
            } else {
                $sessionId = $request->cookies->get($session->getName());
            }

            $session->setId($sessionId);
        });
    }
}

4. The payment was made and the redirection url (with the session id) allowed me to retrieve the old session information.

I hope it'll help someone, who lands on this page :)

Answer 2

edit this fields in config/session.php

'path' => '/;samesite=none',
'secure' => true,
'same_site' => 'none',