#Village_Admin-Checkout

As long as i stay on the checkout page, i can reload a page on my site in another browser window and see the session is still alive. But as soon as i click the back/cancel link the cookie holding the session in the browser is replace with a new PHP session cookie.

If it matters, the cookie is saved with

path="/"
HttpOnly = true
Secure = true
SameSite = Strict

Yes because basically we reset the Checkout session once it's canceled

Im not thinking how that should effect the session set on my site, doesn't stripe use its own session under its own domain?

Hmm I may overlooked. You means your own cookies get deleted?

My own PHP session (not checkout session object), that i create with session_start();

Which adds a PHP session cookie to the browser

that cookie saved under my domain is getting deleted every time i click the back/cancel link on the checkout page. I can't get my head around how that is mechanically happening.

That sounds odd to me, as Stripe should only control its own cookie

should only be able to

I agree with you on that point

Yeah, but i can't figure out what might be causing it. If i dont click that link the session stays.

How to you do session? Redirection?

Right now, just in dev, im creating the session object, it returns the url which im tossing into an <a href> then clicking it to open the checkout page in another window so i can see both my site and the checkout page.

Is stripe proxying the link? Like trying to load the link through the stripe server? I do have session hijacking protection, if the IP changes on a session it deletes it. But i don't see that happening from what i can see.

But even if stripe is loading the URL, i don't see how it would be able to transmit the users cookie with that session.

I am not following the proxying part. What do you mean by load the link through stripe server? Checkout is a Stripe hosted page and it's loaded by Stripe server by default

Generally I think your use case is a bit special. Normally we recommend to do redirection. What's preventing you from using redirection?

Nothing, im not there yet, im still building it. This is an issue im having while designing the intergration.

For now, im dumping the object so i can see it, verify it, customize what i need before polishing the page for users.

Can I have a public URL to see it myself?

Can i DM?

We don't setup to receive DM 🙂 Not comfortable sharing?

The site is in dev and not ready for public yet. Id have to open it up temp for you and id rather not leave the URL archived.

I guess i can post/delete it here.

Yes! but it would be hard if I want to forward this back to Checkout team and they can't see it anymore

But okie let's first do it quick

Okay, im ready. You?

Sure

...
Fill out an email, you can put "asdfasdfs" garbage.
Then just click any of the [Get] buttons on the domains.
Then open the <checkout> link in another tab/window
You can reload my site and see the session still alive. It is var dumped at the bottom of the page.

But as soon as you click the back link on the checkout page that session gets deleted

SID, right?

Yes

It's not deleted in my test

Look at the SID value before you click checkout link, then look at it after opening the checkout page, its the same, then look at after clicking back link, its replaced with a new / different cookie.

But as you can see, if you dont click the back link, you can go back to my site and reload the page as many times as you want, it never gets changed

Oh yes the value changed

I believe the logic to regenerate the ID kicked off when you refresh the page, after cancelled Stripe Checkout

I believe its only "changed" because when reloading the page it does session_start() and because the old cookie is gone for some reason it makes a new one

Trying to figure out why that cookie is getting deleted.

Because if you dont click the link, and you just manually put the URL in the browser URL bar, the cookie/session stays.

So what is happening with that link? It makes no sense to me, it looks like an innocent <a></a>

Im looking on the backend, and the sessions themselves are still there. So PHP didn't delete the session, just the cookie is lost causing a new session to be created.

Ummm

The only thing i can think of... is if stripe is tunneling some how, like when the user clicks that cancel link, they are loading my site through the stripe server. So the IP doesn't match the session.

No way

I don't see that happening, but i can't think of another explaination.

Stripe don't know specific website for sure. There could be millions of website

Did you see if you paste the URL into the browser directly from the checkout page it loads the session no problem?

yes

Which confuses me why it would act different as a link.

Do you think the refer has something to do with it? Is it a built in browser security feature?

Wait a min, what was different, again

Cause that is the only difference between a link and manual URL

If I click the link, vs if I open the link in new tab

The cookie SID value (the hash) is different. Causing the old session not to be found and a new session to be created.

When i look on the backend, the old session is still there, it wasn't deleted.

Or you asking something different?

Oh I see

Im going to try a test, make a html to link to first and have that redirect to PHP to remove a foreign site refer

a minute

Yep, that is a "work around"

Try it now, it works, notice the link goes to a .htm page from stripe, then that .htm redirects to the PHP page and the session is still good.

So im going to assume a browser safety feature that is killing the cookie because of the refer to the session is a different site when it goes to PHP straight from stripe.

Huh, learned something new.

Please let me know when you done so i can close the site off.

You can close it whenever you wanted!

Okay, thanks for humoring me to find the issue.

Im done.