I'm trying to add a hosted payment solution to an old Symfony 2.6 project. This is the standard hosted solution where you embed Payment Gateway's form inside an iframe, to allow user to securely submit their CC information. When payment is processed Payment Gateway redirects the user back to my site using GET request and sends me the payment token as GET param.
This all happens inside the iFrame obviously and this whole process works fine, except for the last step.
When user is redirected back to my callback URL inside the iframe, Symfony for some reason doesn't recognize user's session and redirects user to the login. I get message: security.INFO: Populated SecurityContext with an anonymous Token in the log. That happens only for that one call, user remains logged in on the rest of the site. User logins are controlled by fos_userbundle, in the standard setup.
Callback URL looks like this: http://some.site/foo?paymentToken=12345, and if I enter that url directly into the browser it works just fine. Even when I set iframe's src directly to that url it loads fine. But when user is 302 redirect-ed back to that url from the payment gateway it fails (using Chrome browser).
Payment gateway is using https, my site is using regular http, so I guess it has something to do with switching the security levels? But have no idea how to solve it.
Since the redirect comes from the 3rd party server I can't control the headers or anything else about that request.
UPDATE: I've noticed that Chrome sends the header: upgrade-insecure-requests:1, not sure if it's causing the problems?
I can confirm that this is not a Symfony problem, but an issue with how Chrome handles redirects from secure to insecure sites (possibly a bug?).
Chrome doesn't send any cookies on 302 redirect from https to http page, and that's why user is not recognized properly. Everything works fine with Firefox.
This can be also you're testing the app in app_dev.php (developing mode) and the iframe is calling the production verision (app.php). Each application manage different sessions.
Related
I'm using Symfony Session component with NativeStorage.
The initialization is very simple (session property has type Symfony\Component\HttpFoundation\Session\Session)
$this->session->start();
I'm facing a session issue during payment redirects, my application redirects user to Paypal payment, if the user push "abort" link in Paypal page it will be redirected to the abort page of the initial application.
During this second redirect somehow the session is refreshed and a new cookie and a session-id is activated.
I'm working with Firefox without private mode. I have tried to open the page manually in a new browser tab but the session is discarded in the same way.
What can cause a session expiration during a page redirect? The cookie generated is the standard cookie made by Symfony Session class and PHP:
Domain and protocol (https) dont change. The URL path changes from initial page to abort page.
UPDATE:
The issue seems to be connected to Firefox.
I have tested it with Chrome and works, I have tested the case with Firefox in privacy mode and it works... so I guess it is something wrong with my firefox sessions.
I am using a payment API. When I click on pay, it opens a new page in the browser, I do the payment on their platform and then, the user is redirected back to my website using a POST request. However, even if he was logged in when he quit my website, when he gets redirected back to my website and the origin is the payment platform, my user doesn't seem to still be logged in. He isn't logged out though, it's
Is there a way to keep the session active even when the origin is not the current website? So, I am on domain A, I click to a link to get the payment on domain B and when the payment is done, I'm redirect to domain A with my authentication (session).
Thanks a lot!
It's an issue with same site cookie configuration, mainly observed on chrome. You could try with SameSite=none with secure flag; change this in the session configuration file.
Also make sure you use https.
I tried to make a post request in Postman (and in PHP) to a url to create a fulfillments, but for some reason, Shopify displays a link stating continue which points me to logging into Shopify.
I looked up the issue and this issue commonly seems to be attributed to cookies, but I disabled cookies and still have this same problem. I also tried with my local PC in docker and I assume the same issue persists.
Try this:
Click the Cookies button right below the request bar:
Remove cookies related to your Shopify store.
Send request again.
I am developing an webapp and have been running by some problems with the user authentication implemented in Yii2's Advanced Template.
The thing is, it runs fine locally, but on the production server the login seems to not work properly. It validates the data correctly (user and password), and if they match any entry in the database I can track via the F12 function on Chrome that I have been redirected to the index page, as expected. The problem is that, after being redirected to the index page, it redirects me back to the login page (as if I wasn't authenticated). Inspecting the browser's cookies I can see that the identity cookie used by Yii2 is already marked as 'deleted' at this point.
What may be the problem? Is Yii2 not being able to save the state of the user perhaps? How can I try to debug that?
I need to simulate from within an iframe in our site, which uses https and it's loaded only once upon the authentication on our site, the authentication into another site, which only uses http.
How can I do that?
We first tried loading into the iframe a page of our site from which the login form for the remote authentication is automatically submitted with javascript. This cannot be achieved because the http request from the form is blocked by the browser for security reasons. I must clarify that if we use http in our web too, the authentication is done without problems.
I'm not sure if using file_get_contents() will do the trick, because it's not a simple static page what we need to display. We need to keep any data from the remote login (cookies, etc) in the browser so that we can access other parts of the remote web (once I've signed in) from other places of our site. As far as I know, file_get_contents doen't provide any header.
Another alternative I've also considered is curl, using CURLOPT_RETURNTRANSFER=true and CURLOPT_HEADER=true and trying to manually set any cookies I get in the header. I'm not sure if keeping the session implies more actions though.