Why Laravel user is logged out after redirecting back from payment?

4
votes

I deployed my Laravel app to shared hosting (cpanel). For paying, the user first redirects to a bank account and then redirects to my page. during this procedure, the user gets logged out!

for protecting my routes I use auth middleware and for session driver, I use the default session driver which is file. also, the permission for framework/sessions is 777.

this is the code which redirect to the bank page:

            $go = "https://thebank/example";
            redirect()->to($go)->send();

and after a successful payment, the bank redirects to a route that I specified for verifying the payment.

Route::get('/payment/callBack' , 'PaymentController@VerifyData')->middleware('auth');

the route utilizes the auth middleware However most of the time the user is not logged in and automatically redirects to login page. I noticed if I don't use the auth middleware and if the user refreshes the page the user logs in automatically. this is not something that usually happens with laravel. I also tried the cookie driver for session and it didn't work and caused more problems.

I also didn't gain any success in storing user_id and cart_id in the default PHP $_SESSION. all SESSIONS seems to be cleared when user redirects back from the bank page.

how can I fix the problem?

4
laravel
Is it possible that the bank is redirecting the user to a slightly different domain or protocol? E.g. sending them to a www variant of the site, or http instead of https? That could cause issues with the session cookie not being sent.John Ellmore
I checked, it is not the case.Hadi Aghandeh
@HadiAghandeh Did you fix this issue? I have the same problem now.Ribaz
any fix for this issue? I have the same problem, when user hasn't checked the "remember me" box, after redirecting to callback user is logged outHamid Vetr

4 Answers

5
votes

Laravel 7 Changes

Our package is compatible with Laravel 7 but the same_site setting is changed in default Laravel installation, make sure you change same_site to null in config/session.php or callback won't include cookies and you will be logged out when a payment is completed. So inside your config/session.php update

return [
  ...
  ...
  'same_site' => null,
  ...
  ...
];
0
votes

you can refer this example https://medium.com/justlaravel/how-to-integrate-paypal-payment-gateway-in-laravel-695063599449 and implement the payment gateway. on callback your auth doesnt get user logged in token propery to get back on same

0
votes

I solved this issue by adding an API route for callback. Inside controller you can redirect or return view.

0
votes

The new versions of the browsers might be logging you out because of the new cookie policy.

References https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Whenever the cookie is required to be sent to server, the browser sees the SameSite attribute to decide if the cookie to be sent to server or blocked. For user actions, it is sent to the server but for auto-redirects, it doesn't if SameSite is set to 'Strict' or 'Lax' (Lax is going to be the default value now).

Solution: The cookie attribute SameSite can be set to 'None' along with specifying the 'Secure' attribute to 'true'. Setting 'Secure' attribute to 'true' would require your site to run on https. Sites running with http:// protocol will not be able to set 'Secure' cookie. Please set the 'HttpOnly' attribute to 'true' for making it accessible for http requests to the server only.

In PHP, it can be achieved as below session_set_cookie_params(0, '/PATH/; SameSite=None', <COOKIE_DOMAIN>, true, true);