Question 7952 in PHP Versions Question posted in
You can find a list of all versions here.

Session destroy randomly after redirection from PayU payment gateway redirection in Codeigniter 4 – PHP Versions

This question is posting after trying many solutions for about past 2 days and nothing is worked. Session in my Codeingiter 4 project behaving in a strange manner. There is a payment module in my application and PayU is my payment gateway provider. After the payment gateway redirection PayU will post some response data in my URL. At this time session destroys automatically. I don’t know why and for your understanding it’s happening becasue it’s not happening everytime, say out of 10 session will destroy 7 time after the successfull payment. I get all the response from the PayU inside my controller. If the payment is cancelled by the use the frequency is about 5 out of 10 tries. This issue is only happends after redirection from PayU payment gateway irrespective of the payment status. I tried this,this,this,this and many other sites other than in StackOverflow.

I’m using Open LiteSpeed server in AlmaLinux 8. I added this in my virtual server config file

context / {
    location    $DOC_ROOT/
    allowBrowse    1
    extraHeaders  header edit set-cookie $1;httponly;secure;samesite=none
  }

My htaccess file doesn’t contain anything other than a rewrite rule for hiding public from URL.

This is my .env

app.sessionDriver = 'CodeIgniterSessionHandlersDatabaseHandler' // Initially it was FileHandler
app.sessionCookieName = 'ci_session'
app.sessionExpiration = 7200
app.sessionSavePath = ci_sessions
# app.sessionMatchIP = false
app.sessionTimeToUpdate = 300
# app.sessionRegenerateDestroy = false

# app.CSPEnabled = false
// Initially all the cookie preferences are commented out experimented with different values.
cookie.prefix = ''
cookie.expires = 7200
cookie.path = '/'
cookie.domain = '<domain_name>'
cookie.secure = true
# cookie.httponly = false
cookie.samesite = 'none' // I tried Lax also
# cookie.raw = false

security.csrfProtection = 'cookie'
security.tokenName = 'csrf_token_name'
security.headerName = 'X-CSRF-TOKEN'
security.cookieName = 'csrf_cookie_name'
security.expires = 7200
security.regenerate = true
security.redirect = true
security.samesite = 'Lax'
curlrequest.shareOptions = true

I tried this in my BaseController

public function initController(RequestInterface $request, ResponseInterface $response, LoggerInterface $logger)
    {
        // Do Not Edit This Line
        parent::initController($request, $response, $logger);

        // Preload any models, libraries, etc, here.

        $this->session = ConfigServices::session();
        session();
    }

I added this line in my php.ini

session.auto_start = 1

After the payment PayU will post response to this function
I’m using PHP 7.4, Codeigniter 4.1.5 and Litespeed 1.7.14.

Update

I updated Codeingiter version to 4.2.3 latest version but there is no heal for this issue.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The reply given from PayU is,

    TL;DR - In Chrome v.84 SameSite cookie attribute is released which if not handled by the server may lead to an issue causing loss of session data or session ID gets NULL.The issue where cookies are getting NULL in return journey is occurring with chrome browser 84+ version.There is no restriction from PayU's end as such for cookies .

    Solution Suggested:The chrome 84 security update says that SameSite attribute of cookie will be Lax(allowed for GET requests) by default and if we want cookie to travel then it should be marked SameSite : None and "Secure" explicitly. (Ref. https://web.dev/samesite-cookies-explained/

    Session getting null or getting destroyed during the transaction is not happening due to PayU but Chrome has updated some cache and cookies policy in their last update v84, same has to be implemented in your session.

    PayU is not playing any role with the session,If you will try same on Mozilla it will work there and you will not face any null session issue.

    Please find the below points available on Chrome forum to replicate this issue.

    A cookie associated with a cross-site resource at was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .

    Please find below solution for this issue:

    The issue where cookies are getting NULL in return journey is occurring with chrome browser 84+ version. There is no restriction from PayU's end as such for cookies . Solution Suggested:The chrome 84 security update says that SameSite attribute of cookie will be Lax(allowed for GET requests) by default and if we want cookie to travel then it should be marked SameSite : None and "Secure" explicitly. (Ref. https://web.dev/samesite-cookies-explained/

    • SameSite cookies explained Learn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection against CSRF attacks. Specifying the new None attribute allows you to explicitly mark your cookies for cross-site usage. web.dev

    Please check with your tech team if after making changes at your end , session id is NULL in return journey to merchant website. If session id is Null , Please find below RCA on issue with chrome browser 84 version.

    This is to inform you about the changes released by Chrome in the latest update v.84 and its impact on transaction processing. Below are the details on the same.

    Incident Reference across pan India Session ID missing in header response post-payment resulting in session data loss. A few merchants across PayU have raised concerns of loss of the session, when the transaction is processed on Chrome browser having version greater than v84. This issue is arising due to the change in Cookie policy from Chrome. The changes block the cookies from retaining when user moves across the multiple domains, and thus, resulting in loss of session for the user.

    Transaction Impact High

    Affected Area Production and UAT

    Short Description of Incident treating Q.1 How does the Chrome SameSite Cookie policy affect my browser redirection integration? In Chrome v.84 SameSite cookie attribute is released which if not handled by the server may lead to an issue causing loss of session data or session ID gets NULL. Merchants might experience sudden surge of incomplete orders at their end Q.2 About Chrome's SameSite Cookie Policy For users running Chrome v.84 and higher, Chrome is enforcing a secure-by-default cookie classification system treating cookies that have not declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None will be available, provided they are being accessed from secure connections. Chrome 84 release note link for reference:https://support.google.com/chrome/a/answer/7679408?hl=en Q.3 How to fix (or prepare) for it? Session data is not a part of PayU integration, it is managed by merchants. You can refer to the link below and make required changes.Below link can be used for reference. ( Ref. https://web.dev/samesite-cookies-explained/ )

    SameSite cookies explainedLearn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection...web.dev


  2. 0

    Make following changes.

    in config/cookie.php page set

    $secure = true ;
    $samesite = ‘None’;

    in config/security.php set

    $samesite = ‘None’;

    Then give absolute path as redirect url:
    eg: domain.com/customer/Pay/checkTransaction

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search