php – Laravel 7 Weird Logout Issue-ThrowExceptions

Exception or error:

I have just finished a Laravel 7 app. Upon after finalising payments, I am now having weird issue. I send LOGGED IN USER to payment gateway, the user pays and gateway sends back the user to website as a POST request. But the website response action is never called. Since it is under auth middleware, the user is I don’t know how LOGGED OUT and sent to the login screen instead.

The route definition is as follows:

<?php

Route::middleware('auth')->group(function () {

    // This sends the user to gateway
    Route::post('subscription', 'SubscriptionController@renew')->name('subscription.renew');

    // Gateway sends the user back here
    Route::post('subscription/process', 'SubscriptionController@process')->name('subscription.process');
});

Inspecting network tab about hops is as follows:

POST http://localhost:8000/subscription -> 302 << gateway >>
<< gateway >> -> POST http://localhost:8000/subscription/process -> 302 http://localhost:8000/login

In the response where the app sends to http://localhost:8000/login, the headers have laravel_session cookie as required.

But the action http://localhost:8000/subscription/process is never called and user is logged out. Never had such issues upto Laravel 6 with same payment gateway.

Moreover, I also added below URL to VerifyCsrfToken middleware as at first, it was throwing 419.

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    protected $except = [
        '/subscription/process',
    ];
}

Can anybody shed some light on what could be the reason?

How to solve:

Found out! It was due to SameSite=Lax set by default in Laravel 7 session cookie as in https://github.com/laravel/laravel/commit/2913a55d87461fabe94907c5728d7a9451bcae80 commit.

Leave a Reply

Your email address will not be published. Required fields are marked *