3

I have a .NET web application where I seem to lose my session on a post back after the user makes a payment on the payment gateway.
1. User signs into the portal 2. Based on a transaction in the portal, at one point is directed to the payment gateway portal 3. When calling the third party payment gateway we pass the call back URL to which the payment status is posted along with some details 4. When I ran it through the trace I see that the ASP.NET_SessionId cookie which was generated when user signed into my app was passed back to me by the payment gateway in step #3 above. 5. At this point when I try to retrieve the session details, they are missing.As a result I throw the user out back to login page instead of confirming the status of the payment,

I believe when the post back happens from the payment gateway the session does not get retrieved in my IIS. I checked AppPool recycle time-out (set to default 1740 ) which would have recycled the sessions. However this happens multiple times within a 1740 minutes time span. My default idle time out is 20 minutes. When it does occur it is not the case that the user was idle for more than 20 minutes

This is intermittent and may happen to few users at any given point in a day. What might be causing it and how do I track the sessions in IIS to see if it has really expired?

Rahul J
  • 93
  • 1
  • 2
  • 6
  • Did you solve this? – IronSean Jan 28 '20 at 21:16
  • I'm facing a similar issue.Any solution to fix this? – Debasish Jan 30 '20 at 11:29
  • What we determined was the response back from payment gateway to our portal was a redirect. However the re-direct URL that we had configured was with HTTP while the user had signed into the portal using HTTPS. As a result I believe with HTTP redirect the same session was not available and hence lost all the payment data to upload the result from the payment gateway transaction. – Rahul J Feb 01 '20 at 16:47

1 Answers1

0

I'm facing a similar thing actually.

I've yet to solve it but here a few things i've had to check.

Ensure that the url that you are returning the payment gateway to is the same http/https mechanism. If your session cookie is secure only and you are returning to non secure then the session will be lost.

I'm struggling because even though the session should still be active the only say I can get it back is by appending the session id to the url which is less secure.

and then adding to my code before the session_start call

if (isset($_POST['sessionname'])) {
     session_id($_POST['sessionname']);
}

session_start();
Brett
  • 1,951
  • 2
  • 28
  • 35