Lost session at confirmation page (lost orderid)

[rvhelp2]

Hello,

We have MPay24 as our payment provider. When a user makes a payment, we send a push notification and update the order. However, when a user is redirected back to our Typo3 11, the order ID is no longer contained in the session and the error message mentioned in the title is displayed. We have already set cookieSameSite as a variable in Typo3 (BE & FE).

This happens since December 2023.

Code: Select all

Lost session at confirmation page
Array
(
[MAGICK_TEMPORARY_PATH] => /usr/home/website/.tmp
[TMPDIR] => /usr/home/website/.tmp
[PHP_FCGI_MAX_REQUESTS] => 100000
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[PHPRC] => /home/httpd/php74-ini/website
[PWD] => /home/httpd/cgi-bin
[MAGICK_TMPDIR] => /usr/home/website/.tmp
[CONTENT_LENGTH] => 0
[HTTP_CONNECTION] => close
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /produkte/shop/confirm?action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[QUERY_STRING] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[REQUEST_METHOD] => GET
[SERVER_PROTOCOL] => HTTP/2.0
[GATEWAY_INTERFACE] => CGI/1.1
[REDIRECT_QUERY_STRING] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
[REDIRECT_URL] => /produkte/shop/confirm
[REMOTE_PORT] => 52187
[SCRIPT_FILENAME] => /usr/www/users/website/website.com/index.php
[SERVER_ADMIN] => webmaster@website.com
[CONTEXT_DOCUMENT_ROOT] => /usr/www/users/website/website.com
[CONTEXT_PREFIX] =>
[REQUEST_SCHEME] => https
[DOCUMENT_ROOT] => /usr/www/users/website/website.com
[REMOTE_ADDR] => 213.47.100.23
[SERVER_PORT] => 443
[SERVER_ADDR] => 116.202.200.217
[SERVER_NAME] => website.com
[SERVER_SOFTWARE] => Apache
[SERVER_SIGNATURE] => <address>Apache Server at website.com Port 443</address>

[HTTP_HOST] => website.com
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
[SSL_TLS_SNI] => website.com
[HTTPS] => on
[H2_STREAM_TAG] => 42226-5245-15
[H2_STREAM_ID] => 15
[H2_PUSHED_ON] =>
[H2_PUSHED] =>
[H2_PUSH] => on
[H2PUSH] => on
[HTTP2] => on
[CWD] => /
[REDIRECT_STATUS] => 200
[REDIRECT_SSL_TLS_SNI] => website.com
[REDIRECT_HTTPS] => on
[REDIRECT_H2_STREAM_TAG] => 42226-5245-15
[REDIRECT_H2_STREAM_ID] => 15
[REDIRECT_H2_PUSHED_ON] =>
[REDIRECT_H2_PUSHED] =>
[REDIRECT_H2_PUSH] => on
[REDIRECT_H2PUSH] => on
[REDIRECT_HTTP2] => on
[REDIRECT_CWD] => /
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1707423575.9154
[REQUEST_TIME] => 1707423575
[argv] => Array
(
[0] => action=confirm&code=mpay24&controller=Checkout&TID=1259&LANGUAGE=DE&USER_FIELD=&BRAND=MASTERCARD
)

[argc] => 1
)

[aimeos]

The browser (almost always Google Chome) didn't send the TYPO3 FE session cookie to the server after being redirected from the payment provider website. Setting "cookieSameSite" to "none" may improve the situation but we came to the conclusion that Chrome's behavior is buggy.

[rvhelp2]

Is there a possible Workaround or something like that? Like sending a Hash to Mpay and then use the hash in the success url to verify rather than session order id? how can i add a property to order, set("hash" $hash) can be called up directly afterwards but not at the confirm: $unconfirmed_order = \Aimeos\Controller\Frontend::create( $context, 'order' )->get( $unconfirmed_orderid, false );

[aimeos]

A possible workaround might be to pass the unique ID hash of the session in the URL that is returned by the payment provider. As long as this is the only place where it's done, security implications should be manageable. The only problem will be how to get that unique ID and force TYPO3 to use it if it's part of the URL (which we guess it will refuse to do so by default).

[stiller]

We are facing the same problem.
You hardly get feedback from customers but the log reveals several "Lost session at confirmation page - orderid missing" entries.
User Agent varies. Chrome is not the only affected browser.
Payment is handled by the included PayPal service provider.
"cookieSameSite" set to "none".
TYPO3 latest 11.5
Aimeos 22.10.8

[aimeos]

"cookieSameSite: none" solves the issue most of the time but not always and we don't know why.
Which other browsers are also affected? Are Firefox and Safari among them?

[stiller]

mostly Chrome [Android/Windows]
but also Firefox
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0

[stiller]

we're are experiencing this error (and a lost order) almost every day now.
this is an unfortunate situation
any further ideas on this? can I help with more information?

[aimeos]

It seems to happen mostly with a few of our supported payment providers, most often Datatrans. Don't know if the reason is related to what they do on their side.

[stiller]

In our case the provided paypal service is affected.
that's why we are worried.
if a shop owner does not check the logs, he will hardly find out that this is happening.
could the cookie manager have an impact on this?