Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

grenadecx's avatar

Missing session data

In my laravel application, I have a route that generates a payment link to an external payment provider and saves the reference to an order in a session. Then I get redirected to the external payment provider. Let's call this step one.

When I complete the payment or cancel, the payment provider returns a post request to another route. Let's call this step two.

When I return from the payment provider to that route, I lose my session temporarily. What I mean with that is, when I check the session data from the post request, it's a new session with a new session id. But, if I go up to the url, and make a get request to the same url, I get the session id I had in the first step with the session data intact.

Also, I only lose the session data if it's a post request from an external site, if it's from the same it's all fine. What's going on here? What am I missing?

The route is defined with any in the web.php, so it can recieve both post and get requests. The route is also added to the VerifyCsrfToken middleware to prevent error with csrf token when the external payment gateway makes the post request.

Step 2 with get request:

"Tf2uaMfV8XCDmLNgQH7VegUEiXwyG0En5jhswy4G"

array:5 [▼
  "_token" => "j47Kv2pm1LhxwvIGP1OSt8wIjPA7YxtgBEfqMP2v"
  "_flash" => array:2 [▶]
  "_previous" => array:1 [▶]
  "booking_id" => 34
  "payment" => array:2 [▼
    "number" => "4036434"
    "url" => "https://paymentgatewayurl.com"
  ]
]

Step 2 with post request from external payment provider:

"0mvgc7tXpXdcFyKny6WXdUX06AJifcfAiMvAq0NT"

array:1 [▼
  "_token" => "0rPrbkOdtW8Q0tDRIApG2BInsbU8pmPrw8BzxbWb"
]

After that, if I check again with a get request:

"Tf2uaMfV8XCDmLNgQH7VegUEiXwyG0En5jhswy4G"

array:5 [▼
  "_token" => "j47Kv2pm1LhxwvIGP1OSt8wIjPA7YxtgBEfqMP2v"
  "_flash" => array:2 [▶]
  "_previous" => array:1 [▶]
  "booking_id" => 34
  "payment" => array:2 [▼
    "number" => "4036434"
    "url" => "https://paymentgatewayurl.com"
  ]
]

The function in the controller that generates the output from the above is:

public function checkout(Request $request)
    {
        dd($request->session()->getId(),$request->session()->all());
    }

Any help is appreciated!

0 likes
7 replies
Snapey's avatar

The call from your payment provider won't have any session cookie if it is direct from them to your site. Therefore it has nothing to do with your user session. You must give them some form of transaction number so that you know what the message is about when you receive it.

grenadecx's avatar

Thanks for taking your time to answer this. Maybe I'm not fully explaining it right. Or did Laravel change how it handles requests? I have no such problems with Laravel 5.7, it's not until I upgraded to 8 that it became a problem.

The session is still in the browser from the user, so why wouldn't it have access to it?

Edit: So the external payment provider does a post request in the browser back to the laravel website (so the user gets redirected in that call), not as an api call. If that was unclear. It's similar to for example when you pay with paypal, you get redirected to paypal site, and when done, it redirects you back. Now that redirection can be a get or post. In my case it's a post request back.

Snapey's avatar

The only way the server knows the request is from the same user is via the session cookie.

What you are saying is that the user's browser is sent to the payment site, then the payment provider sends a message back to javascript in the browser that tells it (the browser) to do a post request to your server.

I would track the request and response through the network tools in your browser and make sure the session cookie is sent with that post request, and its the same cookie that you were using originally.

1 like
grenadecx's avatar

@snapey Thanks for the answer. But what @jlrdw posted solves it, so I'm gonna go with that for the meanwhile. I understand this probably affects security, I'm not sure how yet, since I validate the request in other ways anyways.

@jlrdw I tried searching before posting but apparently I didn't search hard enough. Thanks for the answer, it solves my issue. I don't know how it affects security by changing it back to how it was before.

grenadecx's avatar

That's right. I changed the SameSite back to null for now. As you guys mentioned, the better way would be a transaction id to be sent, but for the moment I can't do that with the API I'm working with.

Thanks for all the help however, I really appreciate it!

Please or to participate in this conversation.