Level 75
A resent discussion on similar is here: https://laracasts.com/discuss/channels/laravel/missing-session-data
Just suggestion to look over that post.
Aug 29, 2021
3
Level 9
Session is lost after third-party POST request
Hello,
The app that I'm currently working on has a section where an authenticated user can buy certain products. The payment is handled by a payment processor.
After the user submits the credit card details, the payment processor performs a POST request to my app to notify about the transaction status. The user gets redirected to a success or transaction failed page according to the status.
The problem is that after the third-party POST request the current session is lost and when I'm redirecting to one of those two pages the user is not authenticated anymore.
After doing some research I learned that a quick fix would be to set 'same_site' => null in session.php. Tried that and it works, but I'm fearing that I'm opening the door to some security issues (CSRF).
Is there a better way to do this? And by better I mean more secure.
Thanks.
Level 80
@cosminc Well how are you redirecting? Because a third party making a POST request won’t redirect a completely unrelated user. Otherwise I could make a POST request to your server and start redirect any active users to random URLs, which would be a massive security risk.
Level 9
So the third-party expects two URLs, one for successful transaction and one for failed transaction. Both these URLs are generated in my app as signed URLs and contain the order number and the status. When the third-party makes the request POST I verify the signature first and if it matches then I take the order number and the status and redirect the user accordingly to a GET route.
Please or to participate in this conversation.