I have just finished a Laravel 7 app. Upon after finalising payments, I am now having weird issue. I send LOGGED IN USER to payment gateway, the user pays and gateway sends back the user to website as a POST request. But the website response action is never called. Since it is under auth middleware, the user is I don't know how LOGGED OUT and sent to the login screen instead.
The route definition is as follows:
<?php
Route::middleware('auth')->group(function () {
// This sends the user to gateway
Route::post('subscription', 'SubscriptionController@renew')->name('subscription.renew');
// Gateway sends the user back here
Route::post('subscription/process', 'SubscriptionController@process')->name('subscription.process');
});
Inspecting network tab about hops is as follows:
POST http://localhost:8000/subscription -> 302 << gateway >>
<< gateway >> -> POST http://localhost:8000/subscription/process -> 302 http://localhost:8000/login
In the response where the app sends to http://localhost:8000/login, the headers have laravel_session cookie as required.
But the action http://localhost:8000/subscription/process is never called and user is logged out. Never had such issues upto Laravel 6 with same payment gateway.
Moreover, I also added below URL to VerifyCsrfToken middleware as at first, it was throwing 419.
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
protected $except = [
'/subscription/process',
];
}
Can anybody shed some light on what could be the reason?
Found out! It was due to SameSite=Lax set by default in Laravel 7 session cookie as in https://github.com/laravel/laravel/commit/2913a55d87461fabe94907c5728d7a9451bcae80 commit.