Search code examples
laravelpayment

Logout issue after redirect to cancel/success URL when make a payment with Perfect Money in Laravel

I have a payment gateway with Perfect Money in my Laravel project.

I generated a form according to the this doc: https://perfectmoney.com/sci_generator.html

The problem is that the redirected page when payment succeeds or fails does not work as expected. The URL is set exactly in the browser, but it's actually displayed "419 | PAGE EXPIRED" on the page.

It seemed like a CSRF Token problem, so I added the redirect URLs to the VerifyCsrfToken.php file. Then page 419 does not appear, but it seems like the session is lost. It is redirect to the login page after I click cancel button from the form supported PerfectMoney System: https://perfectmoney.com/api/step1.asp

I don't understand how the redirection URL called by Perfect Money System can clear the session on my system.

I did some research on this issue and found that there were several developers who had experienced the same issue as me. https://laracasts.com/discuss/channels/laravel/perfect-money-integration-some-problems

But I couldn't find an exact solution.

Am I using something wrong?

Updated:

I discovered something. If I press the payment button in my app to access the payment form provided by perfect money, I can see this page in action with the data I submitted. https://perfectmoney.com/api/step1.asp enter image description here

However, when this URL is accessed in the in-cognitor method, the form page is not displayed, but the welcome page is displayed (of course). https://perfectmoney.com/?welcome=1

What's interesting here is that once I press the submit payment button on my app and access the form displayed at the above, even if I copy the above URL and paste it into the browser without pressing the payment submission button, the data I submitted is displayed as is. ex: Payment To, Amount

As you can see in the URL, there is no data I submitted in the URL above, but we can see the data I submitted in the form using only that URL.

I think this may have been done by saving the data I submitted as the session on their server and then deleting it after the payment was cancelled. Even if that's the case, I don't understand why my server's session is deleted when canceled.

Any idea?

** If someone can solve this problem, I won't hesitate to pay)) Thanks for the advice

Solution

  • I had same problem too and the problem was :

    I was going from website A (with session cookie) to website B (payment) and back to A after some times and session was lost.
    The problem was that the session cookie on website A was SameSite: Lax (in fact SameSite attribute was not set and changed defaulting from None to Lax).

    By being Lax the cookie was not sent back when going from B to A website.

    I solved it by setting the cookie to be SameSite: None with secure attributes.

    References :