Session values not presists

Don't use $_SESSION. That's the native PHP session, which is not used by Laravel.

FYI: Tried using middleware as web

Are you trying to say you're using the web middleware group? You must use it, because the api middleware group is stateless, i.e. it doesn't include the StartSession middleware.

Note that any changes you made to the session are automatically saved at the end of the request by the StartSession middleware. If you terminate the request by calling die() or exit() or something like that, the changes will never get saved.

The app which I am developing will be loading inside a iframe inside bigcommerce panel.

Most browsers nowadays block 3rd party cookies by default. That means your session cookies won't work in an iframe. You have to set the cookie's SameSite attribute to None if you want it to work in an iframe. Laravel has a same_site entry in the session.php config file for this.

The reason why $_SESSION worked could be due to the samesite settings in your php.ini.

If at all possible, I'd get away from iframes. 3rd party cookies may get completely blocked for some users, or they might not work in incognito mode. Iframes are also bad from a UX standpoint. But if you absolutely have to to embed your app, you should have secure Content Security Policy settings, so that only the specified domain can embed your website. That way other sites can't put your site in an iframe and try to run some clickjacking scam or similar.

Hi @jussimannisto,

Thanks for your response.

This is the sample custom package which I am developing. In this routes/web.php, I am setting the Session value and not putting any die function while executing it.

When I run this in local this works. But since I am running this via local and temporarily exposing the code via https://localxpose.io/, this doesn't work there.

Also for implmentation, I will be using the original laravel application composer.json, to include following code for the package to work.

"repositories": [
    {
        "type": "path",
        "url": "../../common_packages/larapps/bigcommerce-app-sample"
    }
]

In Local

returns sample 1 as session value

In LocalExpose

returns null as session value

Unfortunately bigcommerce app loads inside an iframe, so there isn't any work around for that. Regarding the SameSite, I have set this as "null" value in my session.php, since it needed for Bigcommerce.

I don't want to implement any authentication mechanisms since Bigcommerce does that. But I do want to maintain the user data in the session, in order to perform some functionalities based on the user. So can you please advise if this is possible make this work or I am open to any alternative approach.

Thanks.

Unfortunately bigcommerce app loads inside an iframe, so there isn't any work around for that. Regarding the SameSite, I have set this as "null" value in my session.php, since it needed for Bigcommerce.

Since you've set the same_site value to null, the SameSite attribute will be omitted from cookies. Browsers will then default to the Lax setting, stopping 3rd party cookies from being sent. Your session cookie won't get sent when your app is in an iframe, and sessions won't work. The behavior you're seeing is completely expected.

Like I explained in my previous post, you have to set the SameSite attribute to None if you want to use sessions within an iframe. That's assuming that your app's origin is different from the parent window. You also have to set the session.secure config to true when using None.

https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure#chrome-enforcement-starting-in-february-2020

Hi @jussimannisto,

You are a saviour man. I already set the SameSite as "none". Previously I wrote with a typo mistake to be "null", but setting the session.secure to true did the trick. :)

Again thanks so much man.

Thanks.