Google chrome Version 84.0.4147.125 (Official Build) (64-bit) destroying application session when redirecting on callback function from third party

Question

// Creating session before go on third party gateway hosted form

public function ezi_test() {

        if (isset($_SESSION['form_data'])) {
            unset($_SESSION['form_data']);
        }

        $this->common->maintain_log(array('collection_type'=>3,'org_id'=>'','log_path'=>'gateway_log/ezidebit/hosted_payment_formdata_creation_bef','log_data'=>json_encode($_REQUEST)));
        parse_str($_REQUEST['data1'], $_REQUEST);
        $_SESSION['paynow']['tnc']['email_id'] = isset($_REQUEST['email_id']) ? $_REQUEST['email_id'] : '';
        $this->common->maintain_log(array('collection_type'=>3,'org_id'=>'','log_path'=>'gateway_log/ezidebit/hosted_payment_formdata_creation','log_data'=>json_encode($_REQUEST)));

        $_SESSION['form_data'] = $_REQUEST
}

// retriving session on third party callback public function ezi_hosted_payment() {

    if (isset($_SESSION['ezi_hosted'])) {
        unset($_SESSION['ezi_hosted']);
    }

    if (isset($_SESSION['form_data'])) {
        $form_data = $_SESSION['form_data'];
        unset($_SESSION['form_data']);
    }

    $this->common->maintain_log(array('collection_type'=>3,'org_id'=>'','log_path'=>'gateway_log/ezidebit/hosted_payment_log','log_data'=>json_encode($_REQUEST)));

    $this->common->maintain_log(array('collection_type'=>3,'org_id'=>'','log_path'=>'gateway_log/ezidebit/hosted_payment_formdata','log_data'=>json_encode($form_data)));

    $final = array_merge($_REQUEST, $form_data);
    $_SESSION['pg_response'] = $_REQUEST;
    $this->ezi_gateway_paynow_sub($final);
}

Answer 1

Same issue here with an open id authentication in ASP.NET Core 3.1 and HTTP (not HTTPS).

Could reproduce: With update Version 84.0.4147.125 (Offizieller Build) (64-Bit), always redirect to the login page. On other browser (e.g. edge chromium Version 84.0.522.58 (Offizielles Build) (64-Bit)) works fine.

I read some article about it (german) https://www.heise.de/news/Chrome-84-Google-verlangt-SameSite-Attribut-und-HTTPS-4844124.html

[Update] Found a temporary solution: chrome://flags/ Setting: SameSite by default cookies Treat cookies that don't specify a SameSite attribute as if they were SameSite=Lax. Sites must specify SameSite=None in order to enable third-party usage. – Mac, Windows, Linux, Chrome OS, Android

Set to disabled.

Better solution is to set samesite attribute in cookie and enable https...

Guess it's the reason.

Answer 2

I found some solution for .net core 3.2 : setup for

services.AddAuthentication

 .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
                {
                    options.Cookie.SameSite = SameSiteMode.None;
                    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                })

setig up idp

options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;