Question posted in 
I deployed my Laravel app to shared hosting (cpanel). For paying, the user first redirects to a bank account and then redirects to my page. during this procedure, the user gets logged out!
for protecting my routes I use auth middleware and for session driver, I use the default session driver which is file. also, the permission for framework/sessions is 777.
this is the code which redirect to the bank page:
$go = "https://thebank/example";
redirect()->to($go)->send();
and after a successful payment, the bank redirects to a route that I specified for verifying the payment.
Route::get('/payment/callBack' , 'PaymentController@VerifyData')->middleware('auth');
the route utilizes the auth middleware However most of the time the user is not logged in and automatically redirects to login page. I noticed if I don’t use the auth middleware and if the user refreshes the page the user logs in automatically. this is not something that usually happens with laravel. I also tried the cookie driver for session and it didn’t work and caused more problems.
I also didn’t gain any success in storing user_id and cart_id in the default PHP $_SESSION. all SESSIONS seems to be cleared when user redirects back from the bank page.
how can I fix the problem?
5
Answers
It is one of my very old questions that I figured out myself but forgot to share the solution. However, I see this page is still active I decided to share my solution.
My problem actually was the protocol of redirecting URL. My mistake was that I set the redirect URL of
'/payment/callBack'tohttp. While my website washttps. The sessions forhttpsandhttpare different, so user logged inhttpscan not be logged in tohttp. my solution was first corrects the URL callback to https version. and set the nginx config to redirect allhttptohttps.The same_site setting is changed in default Laravel installation, make sure you change
same_sitetonullinconfig/session.phpor callback won’t include cookies and you will be logged out when a payment is completed. So inside yourconfig/session.phpupdateI solved this issue by adding an
APIroute forcallback. Inside controller you canredirectorreturnview.The new versions of the browsers might be logging you out because of the new cookie policy.
References
https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Whenever the cookie is required to be sent to server, the browser sees the SameSite attribute to decide if the cookie to be sent to server or blocked. For user actions, it is sent to the server but for auto-redirects, it doesn’t if SameSite is set to ‘Strict’ or ‘Lax’ (Lax is going to be the default value now).
Solution:
The cookie attribute SameSite can be set to ‘None’ along with specifying the ‘Secure’ attribute to ‘true’. Setting ‘Secure’ attribute to ‘true’ would require your site to run on https. Sites running with http:// protocol will not be able to set ‘Secure’ cookie.
Please set the ‘HttpOnly’ attribute to ‘true’ for making it accessible for http requests to the server only.
In PHP, it can be achieved as below
session_set_cookie_params(0, ‘/PATH/; SameSite=None’, <COOKIE_DOMAIN>, true, true);
I have configuration with this. But not working.
If I set this
Then it work
Solution for laravel 8-
Ref https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie