[英]PHPSESSID cookie lost after redirect
My website redirects user to the payment Gateway page.我的网站将用户重定向到支付网关页面。 Once the user has completed the payment, they are redirected back to my website receipt page
process.php
.用户完成付款后,他们将被重定向回我的网站收据页面
process.php
。 Please note that user redirects away from and return to https page.请注意,用户重定向离开并返回到 https 页面。 website URL is exactly the same ie: user redirects away from https://website.com/payment.php to Payment Gateway and then back to https://website.com/process.php?para1=true¶2=true
website URL is exactly the same ie: user redirects away from https://website.com/payment.php to Payment Gateway and then back to https://website.com/process.php?para1=true¶2=true
session_start();
print_r($_COOKIE);
print_r($_SESSION);
What i get is this:我得到的是:
Array( [lang] => en [theme] => light [timezone] => Asia/Baghdad ) Array( )
What I expect to get is this:我期望得到的是:
Array( [lang] => en [theme] => light [timezone] => Asia/Baghdad [PHPSESSID] => 2b656f9120*********6fd1817316 ) Array( [nonce] => 68e56bb********f2253529e09bf3f [userID] => 1 [last_error] => [last_success] => )
Things i've tried:我尝试过的事情:
process.php
process.php
来重新创建问题process.php
again to process.php
process.php
的用户再次重定向到process.php
PHPSESSID
comes back.PHPSESSID
会返回。 Refreshing process.php
after refreshing other page makes PHPSESSID
to appear again.process.php
。php 刷新其他页面后使PHPSESSID
再次出现。header("Location: website.com/process.php")
does not reproduce the issue.header("Location: website.com/process.php")
从任何其他网站重定向不会重现该问题。Do you have something like this in your apache config?你的 apache 配置中有类似的东西吗?
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Changing Strict to Lax should solve your issue:将 Strict 更改为 Lax 应该可以解决您的问题:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
See also https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/另见https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
Try changing the defaults for session_start()
:尝试更改
session_start()
的默认值:
$secure = true; // if you only want to receive the cookie over HTTPS
$httponly = true; // prevent JavaScript access to session cookie
$samesite = 'lax';
if (PHP_VERSION_ID < 70300) {
session_set_cookie_params($maxlifetime, '/; samesite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
} else {
session_set_cookie_params([
'lifetime' => $maxlifetime,
'path' => '/',
'domain' => $_SERVER['HTTP_HOST'],
'secure' => $secure,
'httponly' => $httponly,
'samesite' => $samesite
]);
}
See also https://www.php.net/manual/de/function.session-set-cookie-params.php#125072另见https://www.php.net/manual/de/function.session-set-cookie-params.php#125072
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.