Chrome loses my session data when returning from the payment gateway

Question

Since the begining of August my users are presently losing their sessions whenever they use Chrome to perform a payment with Moneris. It works just fine under Firefox. The code hasn't change since a few years now, it all started automagically.

The payment "summary.php" page initially calls the gateway URL which then returns to the "return.php" page after the transaction. This return page just contains a form that grabs the transaction key and post it back to the gateway for verification purposes:

<?php
    session_start();
?>
<!doctype html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <script>
            function verify_transaction() {
                document.getElementById('verify').submit();
            }
        </script>
    </head>
    
    <body onload="verify_transaction()">
        <form id="verify"  name="verify" action="https://www.gateway.com/verify.php" method="post">
            <input type="hidden" name="ps_store_id" value="abcdef">     
            <input type="hidden" name="hpp_key" value="abcdef">
            <input type="hidden" name="transactionKey" value="<?php echo $_POST['transactionKey'] ?>">
        </form>
    </body>
</html>

The issue here is that all the session data is gone when this page is called. I also cannot store the session anywhere as there are no ways for the gateway to send me back the information I would send to start with.

I am afraid it might have to do with the July release of Chrome which has this in the comments: "Same Site Cookie policy changes are starting to roll out again"

Same thing for the August release: "Rejection of insecure SameSite=None cookies" but I dont know how/where to go about this.

The web site is hosted on CPANEL and I made sure the user is using HTTPS all the way.

Does someone have a suggestion?

EDIT:

I just noticed that when I log in and out of the site, I get a lot of these:

"A cookie associated with a cross-site resource at https://google.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure . You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032."

Answer 1

<?php
session_start();
if(isset($_POST['transactionKey'])) {
    $_SESSION['transKey'] = $_POST['transactionKey']; 
}
?>

<!doctype html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <script>
            function verify_transaction() {
                document.getElementById('verify').submit();
            }
        </script>
    </head>
    
    <body onload="verify_transaction()">
        <form id="verify"  name="verify" action="https://www.gateway.com/verify.php" method="post">
            <input type="hidden" name="ps_store_id" value="abcdef">     
            <input type="hidden" name="hpp_key" value="abcdef">
            <input type="hidden" name="transactionKey" value="<?php echo $_SESSION['transKey']; ?>">
        </form>
    </body>
</html>

after verify destroy the session.