I am trying to integrate the Cashfree payment gateway in my Laravel 8 project. The only issue I face is in the callback URL, where an active session is automatically destroyed after getting the post data from Payment Gateway. I have also added the CSRF exception to Middleware. I have added 'secure' => env('SESSION_SECURE_COOKIE', false) & 'same_site' => null.
I have tried with a redirect()->away($payment_link), iFrame tag, and form submits directly to payment link but still getting the same issue.
The session is getting destroyed in the Mozilla browser, but it works fine in the chrome browser.
Controller (Generate Payment Request, URL, and Process Callback)
class PaymentController extends Controller
{
public function credits_add()
{
AuthCheck();
$this->data['page_name'] = 'Add Credits';
return view('merchant.payment.add_credits', $this->data);
}
public function credits_save(Request $request)
{
$request->validate([
'credit_amount' => 'required',
'credit_transaction_type' => 'required'
]);
if (!empty($request->input('credit_transaction_type')) && $request->input('credit_transaction_type') == 'Cashfree') {
$cashfreeDetails = $this->pay_with_cashfree($request);
if (!empty($cashfreeDetails) && !empty($cashfreeDetails['paymentLink'])) {
return Redirect::to($cashfreeDetails['paymentLink']);
} else {
return redirect('credits/add')->with('errorMessage', 'Sorry! Your transaction has failed.');
}
}
return redirect('credits/add');
}
public function pay_with_cashfree($request)
{
$order = new Order();
$od["orderId"] = "ORDER-84984941";
$od["orderAmount"] = 10000;
$od["orderNote"] = "Subscription";
$od["customerPhone"] = "9000012345";
$od["customerName"] = "Test Name";
$od["customerEmail"] = "[email protected]";
$od["returnUrl"] = route('CreditsSuccess');
$od["notifyUrl"] = route('CreditsSuccess');
$order->create($od);
$linkArray = $order->getLink($od['orderId']);
$detailsArray = $order->getDetails($od['orderId']);
if (!empty($order) && !empty($linkArray) && !empty($linkArray->status) && $linkArray->status == 'OK') {
return array(
'paymentLink' => $linkArray->paymentLink,
'paymentDetails' => $detailsArray
);
} else {
return array();
}
}
public function credits_success(Request $request)
{
$orderId = $request->orderId;
$orderAmount = $request->orderAmount;
$referenceId = $request->referenceId;
$txStatus = $request->txStatus;
$paymentMode = $request->paymentMode;
$txMsg = $request->txMsg;
$txTime = $request->txTime;
$signature = $request->signature;
if ($txStatus == 'SUCCESS') {
return redirect('credits/add')->with('successMessage', $txMsg);
} else {
return redirect('credits/add')->with('errorMessage', $txMsg);
}
}
}
OK I figured out the problem for myself.
The new versions of the browsers might be logging you out because of the new cookie policy.
References https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Whenever the cookie is required to be sent to server, the browser sees the SameSite attribute to decide if the cookie to be sent to server or blocked. For user actions, it is sent to the server but for auto-redirects, it doesn't if SameSite is set to 'Strict' or 'Lax' (Lax is going to be the default value now).
Solution: The cookie attribute SameSite can be set to 'None' along with specifying the 'Secure' attribute to 'true'. Setting 'Secure' attribute to 'true' would require your site to run on https. Sites running with http:// protocol will not be able to set 'Secure' cookie. Please set the 'HttpOnly' attribute to 'true' for making it accessible for http requests to the server only.