Do PHP sessions get lost when directing to a payment gateway?

Question

If i was to store some order details in a session whilst the customer is redirected to a payment gateway, would they be lost by the time the custom returns back from the gateway?

My plan is:

website take order -> store order in session -> website goes to paypal -> payment made -> returns using paypal autoreturn to confirmation page -> on return get session order data and submit to database.

Answer 1

The session remains active as per your application's session expiry settings.

The new versions of the browsers might be destroying the session because of the new cookie policy.

References https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Whenever the cookie is required to be sent to server, the browser sees the SameSite attribute to decide if the cookie to be sent to server or blocked. For user actions, it is sent to the server but for auto-redirects, it doesn't if SameSite is set to 'Strict' or 'Lax' (Lax is going to be the default value now).

Solution:

The cookie attribute SameSite can be set to 'None' along with specifying the 'Secure' attribute to 'true'. Setting 'Secure' attribute to 'true' would require your site to run on https. Sites running with http:// protocol will not be able to set 'Secure' cookie. Please set the 'HttpOnly' attribute to 'true' for making it accessible for http requests to the server only.

In PHP, it can be achieved as below

session_set_cookie_params(0, '/PATH/; SameSite=None', <COOKIE_DOMAIN>, true, true);

Answer 2

I found the problem.

Paypal redirect back client to yoursite.com without the www.

cookies on http://www.yoursite.com are http://yoursite.com are not considered the same.

To fix that, add .htaccess to your www root;

RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com$
RewriteRule ^.*$ "http\:\/\/www\.yoursite\.com" [R=301,L]

Answer 3

As long as the customer has cookies enabled in their browser, the session will remain when they return, unless they've closed their browser window first. Sessions IDs are kept in a cookie, which expires when the browser closes.

You could also, if you wanted to, keep the information in a cookie, though this would be less preferable if there was any private information you needed to be kept.

EDIT also, the answer about creating a session in HTTPS then accessing it again in HTTP is correct.

Answer 4

Session may be lost if visitor was in HTTP when leaving and comes back as HTTPS (or vice-versa)

Answer 5

That depends on how long it takes them to come back to your site. I don't know what the default expire time is for sessions but you can assume it to be anywhere from a few minutes to a few hours.

If you want to assure the user gets to see whatever he needs to, you will need the payment gateway to redirect the user to a URL that you specify. For instance:

/payment.php?status=complete&receipt=875628dwf87sdfsg785623

Where the receipt identifies anything you want it to: the user, the transaction, both?

Most payment gateways support such a feature. If yours does not, contact your payment gateway.

If you want to show them a receipt, do not use sessions or cookies, use the return URL method I describe.

Answer 6

The session is an ID to identify the session and the data belonging to the session. The data is stored on your server as long as you like. The ID is either saved as a cookie or handled as a GET-parameter which should be avoided generally. If you have the ID saved in a cookie then there is no reason why another site should interfere with it.

So I see no reason why your session should be lost.

Answer 7

Sessions won't get "lost" as long as your server supports session cookies, but they may expire.