Session automatically gets destroyed on payment gateway call back in Laravel

Question

I am trying to integrate CCavenue.com payment gateway in my Laravel 7 project. The only issue I face is in Call back url where an active session is automatically destroyed after getting the post data from Payment Gateway. I have also added the CSRF exception to Middleware.

PayController (Generate Payment Request and URL)

<?php

namespace App\Http\Controllers\user;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;

class PayController extends Controller

{

public function __construct()
{
    $this->middleware('auth:web');
}


public function index()
{

    return view('user.addmoney');
}


public function addmoney(Request $request)
{
    $validatedData = $request->validate([
        'Amount' => 'required|numeric',
    ]);

    $Amount = $validatedData['Amount'];

    $working_key = '5dfsdfsdf3323423'; //Shared by CCAVENUES
    $access_code = 'asdasdas234234'; //Shared by CCAVENUES

    echo $merchant_data = 'merchant_id=555&order_id=123654789&amount=' . $Amount . '&currency=AED&redirect_url=http://localhost:8000/addmoneyresponse&cancel_url=http://localhost:8000/addmoneyresponse&language=EN&billing_name=Charli&billing_address=Room no 1101, near Railway station Ambad&billing_city=Indore&billing_country=India&billing_tel=9595226054&billing_email=atul.kadam@avenues.info&promo_code=&customer_identifier=&integration_type=iframe_normal&';
    $encrypted_data =  $this->encrypt($merchant_data, $working_key); // Method for encrypting the data.


    echo "<br>";

    $production_url = 'https://secure.ccavenue.ae/transaction/transaction.do?command=initiateTransaction&encRequest=' . $encrypted_data . '&access_code=' . $access_code;

    return redirect()->away($production_url);


    //return view('user.addmoneyrequest', compact('production_url'));


}






function encrypt($plainText, $key)
{
    $key = $this->hextobin(md5($key));
    $initVector = pack("C*", 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f);
    $openMode = openssl_encrypt($plainText, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $initVector);
    $encryptedText = bin2hex($openMode);
    return $encryptedText;
}

function decrypt($encryptedText, $key)
{
    $key = $this->hextobin(md5($key));
    $initVector = pack("C*", 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f);
    $encryptedText = $this->hextobin($encryptedText);
    $decryptedText = openssl_decrypt($encryptedText, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $initVector);
    return $decryptedText;
}
//*********** Padding Function *********************

function pkcs5_pad($plainText, $blockSize)
{
    $pad = $blockSize - (strlen($plainText) % $blockSize);
    return $plainText . str_repeat(chr($pad), $pad);
}

//********** Hexadecimal to Binary function for php 4.0 version ********

function hextobin($hexString)
{
    $length = strlen($hexString);
    $binString = "";
    $count = 0;
    while ($count < $length) {
        $subString = substr($hexString, $count, 2);
        $packedString = pack("H*", $subString);
        if ($count == 0) {
            $binString = $packedString;
        } else {
            $binString .= $packedString;
        }

        $count += 2;
    }
    return $binString;
    }
}

PayResponseController (Process Callback)

<?php

namespace App\Http\Controllers\user;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;


class PayResponseController extends Controller
{


    public function addmoneyresponse(Request $request)
    {


        return $request->all();

        //return view('user.dashboard');



    }
}

Answer 1

In session.php use 'samesite' => null instead of 'samesite' => 'lax'

Answer 2

I had this problem, I added an API route for callback and return a view inside it:

In routes folder, api.php file:

Route::post('/callback','callbackController@callback');

Inside controller:

public function callback(Request $request) {

// some code here 

return view('callback');
}

and set this one for callback:

http://yourdomain.com/api/callback

Answer 3

In Laravel 7 there is an option inside your config/session.php called as same_site setting which has been changed in default Laravel installation, make sure you change same_site to null otherwise callback won't include cookies and you will be logged out when a payment is completed. So inside your config/session.php update

return [
  ...
  ...
  'same_site' => null,
  ...
  ...
];

Updated: Some of the payment gateway causing the same issue, so even after setting the same_site to null the issue was not resolved so the other one more solution can be

'secure' => env('SESSION_SECURE_COOKIE', null) 

Setting this 'secure' option to false instead of null

'secure' => env('SESSION_SECURE_COOKIE', false)

Answer 4

I had a similar issue and the solution is to make that remember me from the login button is set to true. The remember me token only changes after a user have logged out.