Laravel session 在 Z763F7F1AEC350CD1A46238D1D5C3C2 中的 iframe 中打开站点时被杀死

Question

This issue only seems to be affecting Firefox, and then only some users (with no obvious version / security setting differences). We are getting session loss in our Laravel app.

We have a payment integration that uses the iframed Opayo server integration. This opens up the payment form in an iframe in the Laravel app. Payment details are provided, and the payment is successful - including hitting an Opayo webhook to confirm the transaction.

The webhook returns a redirect url, that Opayo uses to redirect the user (in the iframe naturally). This redirect url is simply a url on the same site as the app (ie the iframe parent).

At the point that the iframe loads the redirect url, the site session is immediately killed. Originally, the page at the url broke out of the iframe (set window.top.location), and also did some ajax calls - I removed both these actions, to confirm they weren't somehow responsible for the session getting nuked.

Site is served over https with a valid certificate. Session cookie is set to secure, http only and same site 'lax'

What could be causing this behaviour?

Answer 1

This is because the iframe is not exactly your page running on your system. So, if the iframe is not on your system, it will not have access to the cookies that are in your application.

If the iframe is from your application, I advise you to use query params in the url of the iframe to pass such necessary information within the iframe.Something like:

<iframe src="https://www.foo.bar?value=1&value_2=2"></iframe>