Since Chrome 79 session "lost" after redirect

Question

I've this weird thing I can't seem to figure out since the release of Chrome 79.

On the website you register. After registration you need to pay. Payment happens on another site, Buckaroo is the payment provider. After the payment you will be redirected to our site (via a POST request) again. This is where the funny stuff begins, at first you were signed in so you should still be signed in since you've been away for a short period. But the session doesn't seem to be recognized so you will be redirected to out login page. But if I take the same redirect URL from one step earlier it works as expected.

So it looks like it has something to do with redirecting from other domains or something?

I've searched in the code, while debugging I see the session can't seem to been found. The last change in this part of the code is from over a year ago, and worked perfect ever since. This is way I have no code examples added to this question. I've searched through the release notes of Chrome 79 but still no clue.

Any clue/idea where to look next?

-- EDIT --

I found out the sessionID actually changes..

On my site, selecting a payment method (after the confirmation you will be redirected): HttpContext.Session.SessionID: "qibxyymxhvev231n01ndlkyx"

Returning from the payment provider: HttpContext.Session.SessionID: "mwkfptaod0hpyuedvaimtqd0"

Refreshing the site again: HttpContext.Session.SessionID: "qibxyymxhvev231n01ndlkyx"

Answer 1

I was strugling with the same issue. I found a good article on this. samesite=none cookies The article is written fo ASP.NET users.

I'm working in php. But the stuff is also relevant to php.

Only there you should use another methods. Methods also depend on the version php you use - till php 7.3 you can use something like that:

setcookie('PHPSESSID', $_REQUEST['id'], time() + 60 * 60 * 24 * 1, '/; samesite=None; Secure;');

Since php 7.3 you can use set_cookie_params() function;

A short summary of the article is that the problem is caused by Session of a user set without the flag "samesite=none; Secure;". This is happening since the Chrome version 80. Be aware that by fixing the issue for Chrome 80, you may break your application for apple users... So you need to add a check for the user agent/browser. You will find more info in the article above...

Answer 2

Faced the same issue. turn out that it is related to Microsoft.

Adding CookieSameSite="NONE" in WebConfig will probably solve your problem.

I added this in my config and it solved the issue.

<system.webServer>
  <rewrite>
  <outboundRules>
    <clear />
    <rule name="Add SameSite" preCondition="No SameSite">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; SameSite=None" />
      <conditions> </conditions>
    </rule>
    <preConditions>
      <preCondition name="No SameSite">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>