Losing session data after redirecting from a 3rd party API (payment gateway)

Question

I'm working on an e-commerce site which is built on top of ASP.NET MVC . We are using 3rd party payment gateway for online payment transactions. Basically, I'm redirecting the user to the payment gateway with a successUrl and a failUrl . If everything goes okay then the payment gateway redirects the user to my successUrl .

The problem I'm facing is that I'm losing all session data as soon as the user is redirected to my successUrl . So, I'm unable to track this user and I can't process the order further. More details:

1. I'm using InProc SessionState
2. I have defined timeout in SessionState but that doesn't help
3. I've also defined Session.Timeout in the Session_Start method of Global.asax file
4. Currently my application uses http and the payment gateway uses https
5. Payment gateway is built on top of PHP

What I've tried:

I've created a dummy API then sent a request to it from my e-commerce app and then redirected it to my e-commerce app. In this case I don't lose my session data. So, I'm not sure what is wrong here.

I know there is work around but I'm more interested to know why I'm losing the session data. What's really going on behind the scene? What can I do to solve this problem? If you can elaborate it would really help.

Update

I've just tested my solution in Firefox (version 76.x) and my solution works.! But it doesn't work on chrome (version 75.x)

Answer 1

You need to add this code to Global.asax Session_Start event

if (Response.Cookies["ASP.NET_SessionId"] != null)
{
    Response.Cookies["ASP.NET_SessionId"].SameSite = SameSiteMode.None;
}

Please refer to this document for more details.

Answer 2

I don't know whether it's your problem or not but this year we've struggled from the same thing in our payment gateway and we realized that problem occurs from SameSite issue of Chrome . Adding some parameters to web.config fixed the issue for us.

For .NET 4.7.2 and above use

<configuration>
 <system.web>  
  <sessionState cookieSameSite="None" /> 
 <system.web>
<configuration>

For older versions:

<system.webServer>
   <rewrite>
      <outboundRules>
        <rule name="Add SameSite" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; SameSite=None" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="No SameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
            <add input="{HTTP_USER_AGENT}" pattern="\(iP.*; CPU .*OS 12" negate="true" />
            <add input="{HTTP_USER_AGENT}" pattern="Macintosh; Intel Mac OS X 10_14.*Safari" negate="true" /> 
          </preCondition>
        </preConditions>
      </outboundRules>
   </rewrite>
</system.webServer>

Answer 3

This is how I did it after spending an entire day behind it and going through lots of articles at SO and elsewhere:

Step 1: Changed the Target Framework to 4.7.2 (it was 4.5.2 earlier)

Step 2: Added the below 2 lines to the system.web section in the web.config file:

    <sessionState cookieSameSite="None" />
    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

That's all it took to get it going. Now it works both in Chrome and Firefox (yet to be tested on another browsers, but hopefully, it will work on other browsers too).

PS:

• I know I have made a compromise in overall security by setting cookieSameSite to "None", but will definitely take steps to address that next.

• I was so much drowned in the problem, and then in the resolution that I felt so happy after getting through that it made me to write my first ever answer at SO. So, please be gentle while commenting on the same if you do.

Thanks.