This question is posting after trying many solutions for about past 2 days and nothing is worked. Session in my Codeingiter 4 project behaving in a strange manner. There is a payment module in my application and PayU is my payment gateway provider. After the payment gateway redirection PayU will post some response data in my URL. At this time session destroys automatically. I don't know why and for your understanding it's happening becasue it's not happening everytime, say out of 10 session will destroy 7 time after the successfull payment. I get all the response from the PayU inside my controller. If the payment is cancelled by the use the frequency is about 5 out of 10 tries. This issue is only happends after redirection from PayU payment gateway irrespective of the payment status. I tried this , this , this , this and many other sites other than in StackOverflow.
I'm using Open LiteSpeed server in AlmaLinux 8. I added this in my virtual server config file
context / {
location $DOC_ROOT/
allowBrowse 1
extraHeaders header edit set-cookie $1;httponly;secure;samesite=none
}My htaccess file doesn't contain anything other than a rewrite rule for hiding public from URL.
This is my .env
app.sessionDriver = 'CodeIgniter\Session\Handlers\DatabaseHandler' // Initially it was FileHandler
app.sessionCookieName = 'ci_session'
app.sessionExpiration = 7200
app.sessionSavePath = ci_sessions
# app.sessionMatchIP = false
app.sessionTimeToUpdate = 300
# app.sessionRegenerateDestroy = false
# app.CSPEnabled = false
// Initially all the cookie preferences are commented out experimented with different values.
cookie.prefix = ''
cookie.expires = 7200
cookie.path = '/'
cookie.domain = '<domain_name>'
cookie.secure = true
# cookie.httponly = false
cookie.samesite = 'none' // I tried Lax also
# cookie.raw = false
security.csrfProtection = 'cookie'
security.tokenName = 'csrf_token_name'
security.headerName = 'X-CSRF-TOKEN'
security.cookieName = 'csrf_cookie_name'
security.expires = 7200
security.regenerate = true
security.redirect = true
security.samesite = 'Lax'
curlrequest.shareOptions = trueI tried this in my BaseController
public function initController(RequestInterface $request, ResponseInterface $response, LoggerInterface $logger)
{
// Do Not Edit This Line
parent::initController($request, $response, $logger);
// Preload any models, libraries, etc, here.
$this->session = \Config\Services::session();
session();
}I added this line in my php.ini
session.auto_start = 1After the payment PayU will post response to this function I'm using PHP 7.4, Codeigniter 4.1.5 and Litespeed 1.7.14.
Update
I updated Codeingiter version to 4.2.3 latest version but there is no heal for this issue.
2条答案
按热度按时间r8uurelv1#
PayU给出的答复是,
建议的解决方案:chrome 84安全更新指出,Cookie的SameSite属性默认为Lax(允许GET请求),如果我们希望Cookie传输,则应将其标记为SameSite:无并明确显示"安全"。(参考https://web.dev/samesite-cookies-explained/
由于PayU的原因,会话在交易过程中不会被清空或破坏,但Chrome在其最后一次更新v84中更新了一些缓存和cookie策略,必须在您的会话中实现相同的策略。
PayU不会在会话中扮演任何角色,如果您在Mozilla上尝试相同的操作,它将在那里工作,您将不会面临任何空会话问题。
请在Chrome论坛上找到以下要点以重现此问题。
一个与跨站点资源相关联的Cookie在未设置
SameSite属性的情况下被设置。该Cookie已被阻止,因为Chrome现在仅在跨站点请求中提供Cookie(如果它们被设置为SameSite=None和Secure)。您可以在开发者工具中的应用〉存储〉Cookie下查看Cookie,并在和中查看更多详细信息。请在下面找到此问题的解决方案:
chrome浏览器84+版本会出现cookie返回时为空的问题。PayU端对cookie没有限制。建议的解决方案:chrome 84安全更新指出cookie的SameSite属性默认为Lax(允许GET请求),如果我们希望cookie传输,则应将其标记为SameSite:无和明确的"安全"。(参考https://web.dev/samesite-cookies-explained/
· SameSite cookies explained Learn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection against CSRF attacks. Specifying the new None attribute allows you to explicitly mark your cookies for cross-site usage. web.dev
请与您技术团队核实,在您端进行更改后,返回到商家网站过程中会话ID是否为空如果会话ID为空,请查找以下有关Chrome浏览器84版本问题RCA
这是为了通知您Chrome在最新更新v.84中发布的更改及其对交易处理的影响。以下是相同的详细信息。
跨印度的事件参考在付款后的标头响应中缺少会话ID,导致会话数据丢失。PayU的一些商家已经提出了在版本高于v84的Chrome浏览器上处理交易时会话丢失的问题。此问题是由于Chrome的Cookie政策发生了变化。这些变化阻止了在用户跨多个域移动时保留Cookie。从而导致用户的会话丢失。
事务处理影响高
受影响区域生产和用户验收测试
问题1 Chrome
SameSiteCookie政策如何影响我的浏览器重定向集成?在Chrome v.84中,SameSite Cookie属性被释放,如果服务器不处理该属性,可能会导致会话数据丢失或会话ID为空。商家可能会在其终端遇到未完成订单突然激增的问题。SameSiteCookie策略对于运行Chrome v.84及更高版本的用户,Chrome将强制实施默认安全的Cookie分类系统,将未声明SameSite值的Cookie视为SameSite=LaxCookie。只有设置为SameSite=None的Cookie才可用,前提是它们是从安全连接访问的。Chrome 84版本说明参考链接:https://support.google.com/chrome/a/answer/7679408?hl=en问题3如何修复(或准备)?会话数据不是PayU集成的一部分,它由商家管理。您可以参考以下链接并进行所需的更改。以下链接可供参考。(参考https://web.dev/samesite-cookies-explained/)SameSite cookies explainedLearn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection...web.dev
ftf50wuq2#
进行以下更改。
在config/cookie.php页面集中
$安全=真;$samesite =“无”;
在config/security.php设置中
$samesite =“无”;
然后给予绝对路径作为重定向URL:例如:domain.com/customer/Pay/checkTransaction