I have included the menu.asp in header of all webpages in my website:
<!--include file="menu.asp"-->
and there is a code to check if user already signed in
<%
if request.cookies("user")<>"" then
response.write request.cookies("user")
else
response.write "sign in"
end if
%>
The code above works fine in all pages except when user comes back from Bank payment. The Bank websites posts the result of payment (and perhaps sets some http headers) to a special URL of my website and I display a thank you message. Everything wroks except that the request.cookies("user") returns null in this special page. I have checked the console and the cookie user exists and it works on other pages if I browse other pages after that.
Is there some special conditions when the header of page is set by a thrid party website?
Browsers have changed the default of cookies so they are no-longer sent by default on requests from third-party sites to prevent CSRF attacks.
Have a read of this for more details: https://web.dev/samesite-cookies-explained/
You can make this work like it used to by adding SameSite=None when setting the cookie so browsers will still include the cookie on requests from third-party sites, like it used to. However that does mean any request can be made to include the cookie (like it used to) and so make leave your application vulnerable to attacks if a malicious party while someone is logged in. So think carefully if you really want to do this, or if there’s a better way to handle this.