Google have said that they will add the SameSite=Lax attribute to cookies by default in February 2020. In preparation, we have started testing using SameSite=Lax with all our cookies, including our session cookie (PHPSESSID).
We have come across a problem where we redirect our users to WorldPay so they can add their bank account. WorldPay then POST back to our website with the details of the new account. The problem is, that because this is a Cross-Site Request, when the user comes back to our site, their browser does not load the session cookie and so they are logged out of our website.
I'm just wondering if there's a best practice on how to deal with this. SameSite protects against Cross-Site Request Forgery attacks. In our case, our Cross-Site Request is not a Forgery or an attack, so we want to do the equivalent of whitelisting the request.
I'm thinking we can store the session id in the database before we send the user to WorldPay, then restore the session using the previous session id when they come back. Of course, the challenge is knowing the person that came back is the same person that left. I'm thinking we can do that by setting a SameSite=None cookie with a secret token, and re-check that token on the return.
This issue must be a common "problem" in the new age of SameSite cookies. I'm interested in hearing how you solved it?
